Security posture

EdgeShift is designed to reduce production risk while increasing delivery speed.

Core principles

• PR-only delivery: every change is a PR with a preview URL; nothing auto-merges.
• Least privilege: credentials and tokens are scoped to the minimum required.
• No secrets in agent runtime: automation/agents do not receive production secrets.
• Untrusted input: WordPress HTML/content is treated as untrusted and sanitized.
• Audit trail: issues → PRs → previews → approvals are traceable.

What agents can and cannot do

Agents can:

• Draft changes
• Open PRs
• Run tests/checks

Agents cannot:

• Access production secrets
• Merge to main
• Deploy directly

Data retention

• Keep only artifacts required to operate the pipeline and support audits.
• Purge raw exports on a defined schedule.
• Customer content stays in customer-owned repos and infrastructure whenever possible.

Production approvals

• Protected branches + required CI checks + CODEOWNERS reviews
• Human approval required for merges and production changes