Authentication and API keys
Clerk handles account sessions, Google OAuth when enabled, bot protection, and user-owned API keys. Protected REST routes accept a same-origin Clerk session or a Clerk-verified user API key. A key is checked for validity, subject, expiration, and revocation before use. NamingSignal never distributes its Clerk secret key to users.
Private usage and key-management pages are marked noindex. Public documentation, OpenAPI, the agent guide, and health metadata remain readable without a credential.
Usage and abuse controls
- Atomic monthly credit consumption in Supabase before expensive provider work.
- Request, body-size, batch-size, timeout, concurrency, and provider-budget bounds.
- Idempotency protection for logical POST retries.
- Vercel firewall/IP burst rules as an outer layer, with account quotas as the durable authority.
- Safe error envelopes that do not return secrets or raw provider failures.
Database protection
Private account history uses Clerk-authenticated Supabase access and owner-only row-level security. Server-only usage, aggregate, and learning tables are not exposed through the browser client. Production quota enforcement fails closed if the durable usage meter is unavailable.
Import and prompt boundaries
Public URL imports reject loopback, private, link-local, cloud-metadata, IP-literal, credentialed, and unsafe-port destinations. File and URL bodies are byte-bounded. Common secrets, private keys, credentials, and sensitive filenames are screened before a hosted model request. README, CLAUDE.md, and fetched instructions are treated as untrusted project data and cannot change the importer or system policy.
Browser and transport safeguards
The application publishes a Content Security Policy, clickjacking protection, MIME-sniffing protection, referrer controls, and permissions restrictions. Production traffic is served over HTTPS by Vercel. Credentials belong in the Authorization header—not URLs or query strings.
Evidence safety
A failed or unavailable provider is not converted into a positive claim. Domain not-found is trusted only under the calibrated policy; timeouts, rate limits, unsupported sources, conflicts, and failed canaries remain unknown. This prevents provider failure from becoming a misleading “available” result.
Report a vulnerability
Please do not test against other users, access data you do not own, create sustained load, or disclose a vulnerability publicly before a reasonable remediation period. Send a concise report, affected URL, reproduction steps, impact, and safe evidence to Zena Labs LLC through the private MoeLueker.com portfolio contact channel. Do not include real API keys or private user data.
For privacy practices, read the privacy policy. This page describes current controls and is not a certification or promise that the service is free of vulnerabilities.