In case anyone is interested, just wanted to share a few high level details about our infra/security setup.

- Backend & CLI are both strictly linted Rust. The webapp runs on Axum (Rust web framework), and connects to Postgres via sqlx.

- Financial read-only. There's no transfer, pay, or send tool in the product. Nothing in the AI surface can move money.

- We request transactions, investments, and liabilities from Plaid. We don't request auth, transfer, or payment_initiation, so we never receive full account numbers or routing numbers — just the last-4 mask Plaid returns by default.

- Bank usernames and passwords go to Plaid Link, not us. We only hold a per-institution access token.

- Plaid access tokens live in a separate database behind a single custody Cloud Run service, encrypted at rest by Cloud KMS. The broker calls KMS's encrypt/decrypt endpoints — the root key material never leaves Google's HSM boundary and the broker's service account is the only one with encrypt/decrypt permissions. The web app doesn't have permission to read that database.

- Every encryption and decryption call passes the Plaid item ID as AAD (additional authenticated data). A ciphertext from one item cannot be swapped in and decrypted as another item's token.

- Each Cloud Run service (including our web app) runs under its own cloud identity and with its own DB role.

- Internal calls between services are authenticated: the caller presents a short-lived identity token from the cloud provider, and the receiver verifies it.

- The prod databases have no public IP. Secrets live in managed secret storage, not in source or container images.

- The AI connector is OAuth 2.1 + PKCE, scoped per user, revocable from the UI. Every tool call records the tool name, sanitized args, calling client, and the reason the agent supplied, so you can see what your LLM asked on your behalf.

- There are no fetch-URL, shell, or general I/O tools in the AI surface. Tools return structured financial data and nothing else.

- Networking, IAM, and DB grants are all in Terraform. All infra changes go through that path.

- Infra access is gated by 2fa and security keys.