Back to Details

motherduck-security-governance

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security and Governance

安全与治理

Use this skill when the user is evaluating whether MotherDuck can meet their security, governance, and deployment requirements. This is a workflow skill focused on control boundaries and safe patterns.
当用户评估MotherDuck是否能满足其安全、治理和部署要求时,使用本技能。这是一项聚焦于控制边界和安全模式的工作流技能。

Source Of Truth

事实来源

  • Prefer current MotherDuck public trust, security, pricing, and product documentation.
  • If the MotherDuck MCP 
    ask_docs_question
    feature is available, use it first.
  • Verify claims against live public materials before making compliance or commercial assertions.
  • 优先参考MotherDuck当前的公开信任、安全、定价及产品文档。
  • 如果MotherDuck MCP的
    ask_docs_question
    功能可用,请优先使用该功能。
  • 在做出合规或商业声明前,需对照公开的实时材料验证相关主张。

Default Posture

默认态势

  • Prefer service accounts for production systems, not personal tokens.
  • Keep credentials in backend-controlled secrets, not browsers or hardcoded notebooks.
  • Prefer structural isolation over query-time tenant filtering for serious B2B or CFA workloads.
  • Treat region and residency as first-class architectural constraints that require current public confirmation.
  • Be explicit about whether the boundary is a share, a Dive, a database, or a full application.
  • Separate documented product guarantees from architectural recommendations and assumptions in the final answer.
  • 生产系统优先使用服务账户,而非个人令牌。
  • 将凭证存储在后端管控的密钥管理系统中,而非浏览器或硬编码的笔记本中。
  • 对于严肃的B2B或CFA工作负载,优先采用结构化隔离而非查询时租户过滤。
  • 将区域和数据驻留视为一等架构约束,需以当前公开信息确认。
  • 明确说明边界是共享资源、Dive、数据库还是完整应用。
  • 在最终答案中区分已记录的产品保障与架构建议及假设。

Workflow

工作流程

  1. Identify where credentials live and who administers them.
  2. Define the actual isolation boundary: account, database, schema, or query filter.
  3. Determine who can read, write, share, or administer the data.
  4. Check whether residency, compliance, or contractual guarantees are part of the requirement.
  5. Use only publicly documented security anchors unless the user has current commercial documentation in hand.
  1. 确定凭证的存储位置及管理员。
  2. 定义实际的隔离边界:账户、数据库、模式或查询过滤器。
  3. 确定谁可以读取、写入、共享或管理数据。
  4. 检查数据驻留、合规或合同保障是否为需求的一部分。
  5. 除非用户持有当前商业文档,否则仅使用公开记录的安全依据。

Open Next

后续事项

  • references/SECURITY_GOVERNANCE_PLAYBOOK.md
    for public security anchors, service-account posture, residency framing, sharing boundaries, and what not to overstate
  • 参考
    references/SECURITY_GOVERNANCE_PLAYBOOK.md
    获取公开安全依据、服务账户态势、数据驻留框架、共享边界以及不应夸大的内容。

Related Skills

相关技能

  • motherduck-connect
    for secure token handling and endpoint selection
  • motherduck-explore
    when governance depends on what data is actually present and how it is partitioned
  • motherduck-share-data
    when the design includes governed data distribution
  • motherduck-connect
    :用于安全令牌处理和端点选择
  • motherduck-explore
    :当治理取决于实际存在的数据及其分区方式时使用
  • motherduck-share-data
    :当设计包含受管控的数据分发时使用