Security

Trust should wrap around the coding app in a way developers can understand quickly.

This page explains how ClastX should think about access, secret handling, usage protection, and product boundaries before the full account and enterprise layers exist.

Server-side secrets

API keys belong on the server, never in the browser app. The public site should explain that clearly.

Bounded usage

Hard stops, top-ups, and plan gates are part of product safety as much as billing safety.

Clear product boundaries

The website sells and guides. The application handles coding work. That separation reduces confusion and accidental exposure.

Current safeguards

Use server-side environment variables for model access.

Keep stronger models visible, but make them cost more credits.

Show status, billing, and support surfaces even when live AI is paused.

Add account, audit, and project ownership before broad team rollout.

Related trust surfaces

Status

Show what is healthy, live, or paused.

Privacy

Explain what stays local and what leaves the app.

Terms

Set the product and billing rules clearly.

Support

Give users one place to ask for help.