Security posture for Octav.
Octav keeps the public site separate from authenticated workspace routes and uses service boundaries for storage, AI, imports, billing, audit, and background work.
Lecture, import, analytics, review, study manager, user, audit, billing, and internal tool routes are kept outside the public route set and require the appropriate authenticated workspace context.
Report suspected vulnerabilities to security@octavonline.com. Send a concise summary, affected route or workflow, and safe reproduction steps; do not send secrets, credentials, or private study material in the first report.