Security
Security model for agent guardrails.
Availsync is built around scoped agent identities, one-time API keys, metadata-only runtime logging, and explicit observe/enforce modes.
Agent API keys
Agent API keys are one-time runtime secrets. Availsync shows the raw key only after creation or rotation, then stores only hashed verification material. Store keys in MCP, CI, server, or automation environment variables, not in prompts, repos, or browser-visible code.
Runtime activity data
Activity logs are metadata-first: endpoint/tool name, status, latency, agent, client name, error code, and optional reported token usage. Availsync does not store raw API keys, auth headers, cookies, passwords, or full request bodies by default.
GitHub integration
The GitHub repo integration stores OAuth tokens encrypted at rest and uses them to read repository, pull request, issue, and branch metadata. It does not write to repositories. Classic GitHub OAuth Apps require broad repo scope for private repository access, so the dashboard explains that before connection.
Observe vs enforce
Observe mode lets a pilot run without blocking downstream work. It creates no active lease and records what Availsync would have blocked. Enforce mode creates real work claims and returns skip_run when another active claim owns the same repo or project.
Work claims
Work claims are scoped to org, resource type, and resource key. Repo-level resources are the safest default. Project-level resources allow parallel work only when streams are independent.
What Availsync does not claim yet
Availsync does not yet provide SOC 2 certification, automatic dependency inference between separate resources, hosted calendar-provider sync, or enterprise audit exports. These are roadmap items, not current guarantees.
To report a security issue, use Contact support from the dashboard, or open a support ticket and mark it as security-related. Do not include API keys in the first message.