Credentials never leave the gateway
No DB URL on a laptop, ever. No tool returns one. No log line contains one. Not in errors, not in admin endpoints.
Identity, end-to-end
Every query traces SSO user โ group โ grant โ audit row. OIDC drives who, YAML drives what, audit records both.
Config-as-code
Permissions live in YAML, reviewed by PR. No in-band admin UI โ every grant change is a diff, an approver, a commit.