Hash-only credentials
Device credentials and reservation correlation data are stored as hashes or safe summaries. Raw device credentials are returned only once where existing APIs intentionally do so.
Security
Built around redacted control-plane records.
Runmote Web keeps the current product layer focused on bounded metadata, explicit ownership checks, and non-executing broker contracts.
Bounded metadata
Client metadata, action request envelopes, and broker envelopes reject unsafe keys and values before storage or adapter handoff.
Admin visibility boundaries
Normal users see safe device lifecycle fields. Admin APIs expose sensitive client metadata only to users with the explicit permission.
Deferred execution
The fixed Action endpoint, real broker integration, live relay mutation, OAuth, and billing remain outside this layer.
Browser screenshots and tests must stay redacted: no raw pairing codes after creation, no credential digests, no auth header values, no request payload dumps, and no generated browser artifacts in git.