Access Control
Studio inherits OS principal; provider services use provider auth.
Studio access model
- OS account principal
Studio runs as the logged-in OS user. There is no Studio-level user/role system; the customer's endpoint authentication and authorisation apply.
- License activation
Per-install license activation enforced via the licensing service. Activation events recorded in the licensing dashboard with org-level visibility.
- Per-feature gating
License tiers gate features (e.g., Crew, Cloud Intelligence, ITSM Copilot). 6 tiers from free → unlimited; mapping documented in src/lib/license/features.ts.
Provider service access
- LLM provider
Customer-supplied API key (BYO). Customer manages provider-side IAM and rotation.
- Database
Customer-supplied connection string. Customer manages DB-side authentication and authorisation.
- Marketplace / Hub
Email-link auth today. OIDC support planned.
PeerAI internal access
- Least privilege
PeerAI engineering access to release infrastructure is least-privilege and reviewed quarterly. Production credentials rotate per policy.
- MFA required
All PeerAI engineers use MFA for source, release infrastructure, and admin tooling. Detailed evidence ships with SOC 2 Type I.
- Background checks
Pre-employment background checks per applicable jurisdiction.