Control
Renderer isolation
HTML widgets render inside a sandboxed iframe instead of the host DOM, which limits blast radius and makes the rendering boundary explicit.
Security
Built to reduce risk, not hide it behind a demo.
StreamCanvas treats security as an application architecture problem. The platform makes the rendering boundary, action boundary, and deployment boundary explicit so teams can reason about real risk instead of assuming the browser will save them.
Control
Typed component mode
React component widgets are schema-validated before render, reducing the chance of arbitrary or malformed props reaching application code.
Control
Trusted action path
User-triggered actions flow through registered client tools rather than arbitrary script execution in the host application.
Control
Operational containment
Production deployment binds the app only to localhost and exposes it publicly through nginx, preserving existing service boundaries on the server.
Operational stance
Security decisions stay visible to the engineering team.
The default model is intentionally conservative: sandboxed widgets, explicit client tools, and self-hosted deployment behind a reverse proxy. Teams can loosen constraints later if they need to, but the starting point already reflects production concerns.
Review points