01
No silent publishing
Live posting requires an approval record. Paid spend is outside v1.0.0.
Security
Automation must remain accountable.
DRAX defaults to dry-run, explicit approvals, least-privilege platform tokens, source allowlists, reproducible assets, and a permanent manual fallback.
02
Official APIs first
Playwright is a controlled experimental adapter, never the only path to a platform.
03
Secrets stay outside content
Credentials are scoped, ignored, rotated, and excluded from prompts, artifacts, and logs.
Verification baseline
Incremental assurance, not compliance theater.
The initial target is an OWASP ASVS Level 1-aligned hosted surface and SCVS Level 1-aligned package process, with higher controls activated as sensitive integrations enter production.
Report a security issue
Send a concise report to einstenrodrigues.dev@gmail.com. Do not include active credentials or personal data.