File Security Policy

Project files are private by default and should never be stored as public marketing assets.

File download routes require authentication and server-side authorization before file metadata or download links are returned.

Clients can access their own project files. Engineers can access only their own certificates and authorized project files. Admins can review file metadata for platform operations.

Future storage integrations should use private objects and short-lived signed URLs for downloads.