Security

Security at mdspec

mdspec is hosted on Vercel. The controls below describe our operational security choices. mdspec does not currently hold its own certifications — compliance coverage flows from the Vercel infrastructure layer.

Infrastructure

SOC 2 Type II

Vercel, the hosting provider, holds SOC 2 Type II certification covering security, availability, and confidentiality.

ISO 27001

Vercel infrastructure is ISO 27001 certified — the international standard for information security management.

Credential handling

Integration credentials (Notion tokens, ClickUp API keys, Confluence API tokens, AWS access keys) are encrypted at rest using XChaCha20-Poly1305 authenticated encryption. Encryption keys are held outside the application database.

Spec content is never stored. It flows directly from your CI runner to the target tool — only metadata (page IDs, content hashes, publish timestamps) is retained in the mdspec ledger.

Agent template transformations send spec content to Anthropic's Claude API before publishing. Content is subject to Anthropic's privacy policy. Specs processed by agent templates are not stored by mdspec after the transformation completes.

MDSPEC_TOKEN

MDSPEC_TOKENis a project-scoped publish credential. It grants the holder the ability to publish specs through the project's configured integrations. It does not grant dashboard access, the ability to read project config, or access to other projects.

PropertyDetail
ScopeSingle project — cannot be used across projects
PermissionsPublish specs via the project's configured integrations only
ExpiryNo automatic expiry — rotate manually if compromised
Dashboard accessNone

Rotation procedure

  1. Go to Dashboard → Project → Settings → Tokens and generate a new token.
  2. Update the MDSPEC_TOKEN secret in your CI system.
  3. Revoke the old token from the same Tokens page.

If you suspect a token has been leaked, revoke it immediately — all subsequent publishes using that token will be rejected.

Typosquat warning: The npm package is mdspeci (trailing i) — not mdspec. Running npx mdspec installs an unrelated third-party package and will expose your MDSPEC_TOKEN to it. Always use npx mdspeci.

Reporting vulnerabilities

To report a security vulnerability, email mdspecapp@gmail.com with a description of the issue and steps to reproduce. We aim to respond within 48 hours. Please do not publicly disclose a vulnerability until we have had a chance to address it.