Published Last updated
Harbor

How Harbor handles credentials, runs, and audit.

Harbor brokers an AI agent’s access to your connected services. Here is what is in place today, what we are working on, and what is on the roadmap.

Last updated

Security posture

Three layers, all repo-verifiable. Identity at the edge, isolation at the runtime, audit at rest.

Identity & auth

  • Enterprise SSO sign-in.
  • OAuth 2.1 + PKCE on https://mcp.tryharbor.ai/mcp.
  • Workspace tenancy — every credential, OAuth grant, run, trace, and orbit primitive bound to workspace_id.
  • Per-tool authorization. OAuth is the floor, not the ceiling.

Execution isolation

  • Sandbox isolates run hrbr exec on Cloudflare codemode, separate from the API worker.
  • Submitted code has no ambient access to provider tokens.
  • Secrets encrypted at rest in Cloudflare KV / Secrets Store under SECRETS_ENCRYPTION_KEY; decrypted in-memory only when a tool call needs them.
  • Edge: HSTS preload, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Cloudflare WAF, L3/L7 DDoS.

Audit & data

  • Every hrbr exec, function invocation, and app request recorded as a run in D1.
  • Spans for tool calls, sandbox I/O, plugin dispatch, and orbit access.
  • Workspace audit log queryable via /dashboard/traces.
  • PII scrubbing on the web tier.
  • Harbor does not train AI models on customer workspace data.

Compliance status

Honest reporting, refreshed when posture changes. We will not claim a control we have not shipped.

Available now

  • OAuth 2.1 + PKCE for inbound MCP clients (mcp.tryharbor.ai)
  • Workspace-scoped audit log
  • Per-tool grants for outbound MCP server calls
  • Encrypted secret storage (Cloudflare Secrets Store)
  • PII scrubbing

In progress

  • SOC 2 Type I (target Q3 2026)
  • Penetration testing program
  • Customer-managed encryption keys

Roadmap

  • SOC 2 Type II
  • HIPAA / BAA support
  • Configurable data residency (EU/US)
  • Bring-your-own-cloud deploy

Vulnerability disclosure

Found something? We want to hear from you before anyone else does. Reports go straight to the security inbox, monitored by the team.

Email founders@zonko.aiPGP key available on request.