Skip to content
Lending Agent Oversight

Safety overview

Lending Agent Oversight is a non-AI workspace. There is no model, no inference, no autonomous agent. The safety surface is the surface of any B2B SaaS that holds regulated supervisory records, plus a small number of regulated-context concerns specific to running an AR network on behalf of a principal firm.

This chapter sets the threats out by category, names the mitigation that addresses each, and links to the deeper pages that document the mechanism. Production hardening (TLS, edge protection, platform attestation) is inherited from Vercel and is out of scope here.

What is in scope

Section titled “What is in scope”

The threats relevant to Oversight are the threats relevant to any tool that holds named-actor evidence of FCA-regulated supervision over months and years. They are:

  • Session theft and credential abuse of principal-side accounts, where a stolen session would give an attacker the principal firm’s full view of its AR network. Mitigated by httpOnly Secure SameSite cookies, sliding 12-hour session lifetime with a 7-day absolute cap, TOTP enrolment for principal-admin and principal-compliance-officer, step-up authentication on terminal actions (FCA notification, annual-review sign-off, AR off-boarding). Detail in threat model.
  • Audit-chain tampering, where an attacker (or an insider) tries to alter an AuditEvent after the fact to remove evidence of a supervisory failing. Mitigated by SHA-256 hash chaining on every event, daily integrity-check job, and ten-year retention against a SYSC 9 floor of seven. Detail in tampering and replay.
  • Replay or duplication of supervisory acts (a breach notification recorded twice, an annual review signed off twice). Mitigated by optimistic concurrency on every write, terminal actions guarded by step-up authentication, and audit events that record the actor, the timestamp, and the prior-event hash.
  • Rate-limit abuse against the AR-user login surface (credential stuffing) and against the principal-side read endpoints (scraping the AR register or audit log). Mitigated by token-bucket limits per session and per IP, lockout after ten failed sign-ins per email per hour, and 429 events emitted as audit-log entries. Detail in rate limiting.
  • Insider abuse of oversight tooling. A principal firm operating the workspace against its own ARs could in principle re-write findings, fabricate file reviews, or manipulate risk scores to justify off-boarding. The product holds against this by making the audit log immutable, attributing every event to a named actor, exposing each AR’s own audit log to the AR, and giving ARs a Challenged affordance on completed file reviews. Detail in insider threat.
  • Information disclosure across tenants. A principal-firm tenant must never see another tenant’s data. Mitigated by Postgres row-level security (tenant_id = current_setting('app.tenant_id')::uuid) enforced at the database connection, plus server-side RBAC checks in every handler. Detail in threat model.
  • Elevation of privilege from AR-user to principal-side roles. AR-user accounts read only their own AR’s records; principal-side roles cannot be granted to an AR-user without a fresh invitation from a principal-admin. Step-up authentication on terminal actions provides a second barrier even if a principal-admin account is compromised.

What is out of scope

Section titled “What is out of scope”

Network-layer threats (TLS, BGP, edge DDoS) are inherited from Vercel and are out of scope on these pages. Platform-level Vercel compromise is covered by Vercel’s own SOC 2 and ISO 27001 attestations. Browser-level exploits on a user’s device are out of scope. The lender’s underwriting decisions, the customer-facing distribution surfaces, and the AR’s own conduct in the field are not the workspace’s job to police; the workspace records and surfaces the evidence.

How to read this chapter

Section titled “How to read this chapter”

The threat model is the structural decomposition (STRIDE, surface by surface, with named mitigations and residual risks). The three sibling pages drill into the mitigations that warrant their own treatment: rate limiting, insider threat, and tampering and replay. The privacy chapter (overview) covers retention and lawful basis, which sit alongside these safety controls but are documented separately.