SECURITY

Gatekeeper pattern

The gatekeeper is the single server-side layer that every external request has to pass through before it can touch the database, a relayer, or an executor key. There is no second way in.

What it does

• Authenticates the request (API key, session token, or signed payload).
• Validates input shape and content against a strict schema.
• Applies the rate limit for this caller and this endpoint.
• Decides authorization — does this caller have the right to do this action on this resource?
• Forwards the call to the underlying service if everything checks out.

Why this matters

The gatekeeper is the only piece of Tab that knows what callers are allowed to do. Centralizing that logic in one place means we can audit it once, harden it once, and trust everything behind it to assume its inputs have already been blessed.

What it deliberately doesn't do

It does not hold keys, sign transactions, or move funds. The gatekeeper's job is to decide "is this request allowed" — not "what should happen as a result of this request." That keeps the blast radius of a compromise small: an attacker who somehow gets gatekeeper-level access still has to compromise the wallet, the relayer, or the executor separately to move money.

Logs

Every request the gatekeeper handles is logged with a request ID, the calling identity, the action, and the decision. Logs are append-only and retained for incident response.