Start building

Security

How 6cript protects your data: owner-scoped rows, read-only previews, no raw secrets, checkpoints, and what we are honest about not doing.

Updated 2026-05-011 min readPlatform

6cript writes code on your behalf. We treat that responsibility seriously. This page is the live posture, not a marketing claim.

Owner-scoped projects

Every project, blueprint, schema, scene, task, and preview is bound to its owner via row-level security. The application server never trusts a client claim about ownership; the database enforces it.

Read-only previews

Public preview URLs go through a service-role client that loads only the project bound to the token, and only in read mode. The visitor cannot insert, edit, delete, or chat. They cannot see other projects belonging to the owner, the export buttons, or owner controls.

No raw secrets in the UI

Integration cards track environment-variable names and a "secret configured" toggle. They never accept or display raw API keys. The export package excludes secrets by construction.

Checkpoints

Schema-changing AI moves snapshot first. If something looks wrong, restore the previous checkpoint. See the Checkpoints article for the contract.

What we are honest about

  • Custom domains are not shipped — preview URLs live on 6cript.
  • Multiplayer collaboration is on the roadmap; today every project is single-owner.
  • AI providers see your prompts. Provider TOS apply to those calls.
  • Production deployment automation (CI / CD) is not part of the launch tier.
Was this page helpful?

Related

← Back to docs homeSuggest an edit