# Mosaic Observability Security Model

The public generator does not store credentials. It returns placeholders and expects operators or agents to place real values in a customer-owned secret manager.

## Required secrets

- Datadog API key for log ingest.
- Datadog app key for read-side validation and workflow awareness.
- OpenObserve ingestion or service token scoped to the intended organization and stream.
- Cloudflare R2 S3-compatible access key scoped to the archive bucket.

## Guardrails

- Use scoped service tokens, not personal user tokens.
- Keep fail-open enabled until Datadog, OpenObserve, and R2 health checks are green.
- Do not reduce Datadog hot-path visibility before validating monitors, dashboards, saved views, and trace pivots.