The safety rails are already built in.

Most one-click hosts hand you a live URL and a loaded gun. Miso ships the boring, hard, safe parts on by default, so a single leaked key or an open database is not one slip away.

defaults.cfg

on by default

workload sandbox✓gVisor

service ingress✓private

pre-deploy scan✓enabled

TLS verification✓enforced

secrets at rest✓encrypted

audit trail✓append-only

scan.log

scan start web@a1b3

secrets .... 0 leaked

bundle ..... 0 keys

access ..... 0 open

verdict .... pass

> _

Sandboxed by default

Workloads run inside a gVisor sandbox, not raw containers. One tenant cannot reach another.

Private until you say otherwise

Every service starts private. Public ingress is a switch you flip on purpose, per service.

Pre-deploy scan

Every deploy is scanned for leaked secrets and open access. It blocks only on high-confidence critical findings.

Secrets, handled

Encrypted at rest, injected at runtime, never printed into build logs or URLs.

Verified TLS

Certificate verification is enforced everywhere. We do not ship a flag that turns it off.

Audit trail

Every security-sensitive action is written to an append-only log you can read.

Secure by defaulta slip should not hand over everything

responsible disclosure

Found something? Email [email protected]. We read every report, and we will not take legal action against good-faith research.