Security model
Cuvark treats evidence as hostile and keeps API, dashboard, and webhooks on separate auth boundaries.
Hostile evidence
User text, webpage text, OCR output, filenames, and message content are treated as untrusted evidence, not instructions.
Dashboard auth
The dashboard lives under /dashboard and is protected with Clerk when configured, with local dev fallback controlled by environment.
Machine API auth
The /v1 API remains outside dashboard routing and uses Cuvark API keys and explicit scopes for machine access.