BrushPass

Security

Security Model

BrushPass is designed around disposable infrastructure, controlled AI access, and reviewable evidence. This page summarizes the current model and planned hardening work.

Ephemeral Workspaces

Sessions run on disposable Ubuntu workspaces with automatic teardown. Workspaces are treated as untrusted execution environments and should not store durable customer data.

BYOK AI Proxy

AI traffic flows through BrushPass proxy tokens. Provider keys are encrypted at rest and are not written to candidate workspaces. Proxy tokens are intended to be disposable, scoped to sessions, and revocable on teardown.

Candidate Access

Candidates receive limited workspace access for the duration of the session. Candidate private keys, SSH commands, and portal links are session-specific and should be treated as sensitive.

Telemetry

BrushPass captures terminal events, AI events, file snapshots, runtime state, git changes, and review artifacts so reviewers can inspect what happened without sharing raw infrastructure credentials.

Secrets

BrushPass is designed so real AI provider keys remain in the control plane, not on candidate servers. Customers should avoid seeding production secrets into tasks. Artifact redaction and exclusion defaults are part of the hardening roadmap.

Seeded Repositories

Public Git seeds are copied into workspaces without upstream credentials. Private repository support will use short-lived installation tokens and avoid persisting repo credentials on candidate servers.

Network And Teardown

Workspaces should be provisioned with narrowly scoped inbound access, explicit teardown jobs, token revocation, and budget enforcement. Reviewers should use BrushPass artifacts instead of reusing candidate credentials where possible.

Future Controls

Planned controls include stronger artifact redaction, organization retention settings, tighter provider firewall policy, per-session token binding, more detailed audit logs, reviewer access workflows, and configurable evidence retention.

Reporting Security Issues

If you believe you found a vulnerability, email [email protected] with enough detail to reproduce and triage the issue. Do not access customer data or disrupt active sessions while testing.