Security

Email security@wentzel.ai. We acknowledge within 24 hours and keep researchers updated through the fix. We credit researchers who follow responsible disclosure.

• Ephemeral containers with RAM-only scratch and 60-second lifetime.
• Outbound network allowlist during assessment.
• Encrypted OAuth tokens at rest; used once and discarded.
• Strict HTTP security headers (HSTS, CSP, X-Frame-Options, Permissions-Policy).
• Append-only audit log with container identifier and timestamps.
• Dependency audit gating and automated dependency updates.

Every repository clone, assessment run, and report write emits an audit-log row. The log is append-only at the application layer.

Teams with stricter requirements can run CARL as a Docker image inside their own infrastructure. Code never leaves the customer environment.