Security

Control the installer without collecting the work.

The portal is designed to answer four questions precisely: who requested access, who approved it, which exact installer was granted, and when a named user received a short-lived delivery URL.

Named-user entitlement

A team approval does not create a public link. Each approved analyst verifies their own email and receives a separate seven-day grant.

Short-lived delivery

Each grant can issue at most two download URLs. Each URL expires after five minutes and is never stored or logged.

Append-only audit

Verification, approval, grant, reset, revocation, issuance, artifact identity, onboarding, and closure are recorded as immutable events.

No customer documents

The access portal does not collect source documents, filenames, SQL details, screenshots, or analyst content.

Exact artifact selection

An approver can select only a PRE-cleared catalog entry. Artifact keys are digest-addressed and registered by Platform.

No broad pointer

The legacy public download route is retired. Controlled-pilot delivery never reads or advances latest.json.

Portal data boundary

Structured administration, not analyst evidence.

CollectedNames, work emails, organization, team, role, pilot environment, named users, approval and delivery events.
Not collectedDocuments, filenames, document text, patient or client data, SQL connection details, credentials, screenshots, or signed URLs.
V1 retentionManual closure, anonymization, and deletion. Automatic retention begins only after a broader-launch policy is approved.
Scope statement: these controls describe the pilot access portal and audited release process. They are not a claim of sector certification or regulatory compliance.