Trust Center
Security and reliability review material for teams evaluating Verixet as a pre-deploy gate in their delivery pipeline.
Trust posture
Verixet is designed as a server-side control surface for release decisions. It does not require browser exposure of API keys, and it returns structured envelopes that can be logged, audited, and joined back to CI output.
- Quality checks include typecheck, OpenAPI drift, route integrity, logging hygiene, high-severity dependency audit, build, and E2E gates.
- Public readiness and post-deploy smoke checks make deployment health explicit.
- Security and support routing use role-based mailboxes for security, status, billing, refunds, and support.
Control summary
Request traceability
Every v1 response includes request_id and the x-verixet-request-id response header for support, audit review, and log joins.
Scoped API keys
Bearer keys carry route scopes such as workflow:run, validate:run, meter:run, and commerce:run. Invalid keys return 401; valid keys without scope return 403.
Idempotent POST engines
POST engines accept Idempotency-Key so CI runners can retry without duplicating successful work.
Readiness contract
Use /api/v1/health for liveness, /api/v1/ready for traffic readiness, and /api/v1/health?deep=1 for operator diagnostics.
Evidence buyers can review
| Artifact | What it proves | Where to look |
|---|---|---|
| API contract | Envelope shape, request IDs, error codes, and route behavior. | OpenAPI JSON |
| Health contract | Liveness, readiness, deep diagnostics, and post-deploy smoke semantics. | Status, docs, repo docs/runbooks/readiness-and-smoke.md |
| CI gate | How a deploy runner checks safe_to_deploy and preserves request_id. | Examples, Developer hub |
| Scope model | Least-privilege route scopes and 401 versus 403 semantics. | API docs |
| SDK behavior | Typed helpers throw on unsafe gates while preserving request_id for logs. | Implementation examples |
Enterprise review questions
- For incident or uptime follow-up, use status channels on /status.
- For account and operator support, use /support.
- For vulnerability reports, use the security disclosure path on /security.