AU
Session authentication
SUMit uses session-cookie authentication validated on the server against the database.
Security
Practical security notes for the current product.
This page avoids unsupported compliance and enterprise identity claims. It describes current practices and areas to keep auditing as SUMit grows.
- Updated May 15, 2026
- Session cookies
- Tenant context
- Server-only secrets
Current practices
Security starts with clear boundaries.
The codebase uses server-side auth validation, tenant-aware data patterns, environment separation, and deployment runbooks that call out backup responsibilities.
TN
Tenant-aware data access
Server code should apply tenant context to protect workspace data boundaries.
EN
Environment separation
Private secrets stay in server-only environment variables; public values use SvelteKit public env patterns.
BK
Operational backups
The current SQLite-backed deployment model requires disciplined backups and a future Postgres path for higher concurrency.
Have a security concern?
Send enough detail for investigation, including the affected route, account context, and reproduction steps if possible.