Security and Replay Safety
Production replay is only useful if it is safe
FluxRun is designed around a customer-controlled agent boundary, protected payload encryption, recorded IO replay, and explicit separation between inspection and sensitive actions.
Private replay key stays with the customer runtime
The dashboard does not need the private replay key. Sensitive decrypt and replay actions go back through the agent route.
Agent route controls sensitive actions
Protected payload unlock and replay use short-lived authorization and the configured customer-hosted agent endpoint.
Dashboard cannot freely decrypt payloads
Indexed summaries remain useful for triage, while protected payload bodies are encrypted or masked until agent-mediated access.
Replay uses recorded IO
Fetch, host calls, env reads, time, randomness, logs, result, and error are served from the captured trace during replay.
Safe vs not safe
Replay must be explicit about what can happen
The design goal is to preserve enough evidence to debug while preventing production side effects from firing during replay.
Safe by design
Inspect execution summaries, status, route, timing, and network evidence.
Replay a captured path through the customer agent using recorded IO.
Reveal protected payloads only through agent-mediated unlock.
Save a repaired replay path as a regression guard.
Not allowed during replay
Replay should not call live payment, email, queue, DB, or external API writes.
Private replay keys should not be copied into FluxRun dashboard storage.
Unsupported host APIs should not be silently treated as replay-safe.
Sensitive payloads should not be shown in shared views without unlock intent.
Boundary model
Recorded IO replaces live calls
FluxRun records the supported boundaries a backend route crosses. During replay, those boundaries return recorded values so the code can reproduce behavior without reaching out to live systems.
| Boundary | Capture | Replay behavior |
|---|---|---|
| Network | Captured fetch request and response | Replay returns recorded response |
| Database and SDK clients | Placed behind fluxHost RPC | Replay returns recorded host-call result |
| Secrets and env | Read through fluxENV | Encrypted and replayed from trace |
| Time and random | Captured values | Replay uses fixed recorded values |
| Console and errors | Captured as events | Replay keeps the same debugging evidence |
Masking and encryption
Sensitive payload fields are masked or encrypted before storage when they are not needed for routing or indexing.
Role-aware access
Workspace, app, and function access control frame who can inspect failures and initiate protected actions.
Operational diagnostics
Setup, token, CORS, agent, and replay failures surface as actionable states instead of generic unavailable messages.