How we work — so you can trust what we ship.

This page explains MS Host IT's public process: principles, security boundaries, GitHub access, and where the product is headed. It is written for developers and reviewers who need confidence before connecting infrastructure or authorizing OAuth. It deliberately omits proprietary implementation detail that would make cloning the product trivial.

Principles

  • Review first. Automation drafts configuration and actions for human inspection when risk is high.
  • Separate surfaces. This public site markets and documents. The dashboard is where you authenticate and operate.
  • Encrypt customer secrets. VPS, GitHub, and related credentials use envelope encryption so a database dump alone cannot recover plaintext.
  • Grow in order. We expand capability along generate → validate → execute → observe → govern.
  • Honest stages. Free, Pro, and Control Plane describe intent and availability without pretending unfinished work is live.

Security model

MS Host IT treats customer infrastructure credentials as highly sensitive. Control Plane designs assume:

  • Secrets are encrypted at rest with per-tenant data keys wrapped by a key encryption key (KMS-backed in production).
  • Decrypt happens only in short-lived session and deploy broker paths; secrets are never written to application logs.
  • Remote actions (SSH, SFTP, and future DB admin) are designed to be auditable.
  • A stolen application database without KMS access must not yield usable VPS or GitHub credentials.
  • Full host compromise of the control plane while sessions are live remains a residual risk — we design for defense in depth, not magical zero-knowledge automation.

See also the Privacy Policy for how personal and account data is handled.

GitHub access

MS Host IT requests GitHub OAuth so operators can connect repositories used for automated Node and React deploys to their own VPS hosts. That is the purpose of the integration.

  • What we use it for: listing and pulling selected repositories (or receiving webhooks when productized), so source can flow into a mediated deploy path on infrastructure you control.
  • What we do not do: sell GitHub data, scrape unrelated activity, or require OAuth when upload is a better fit.
  • Tokens: treated as customer secrets — encrypted at rest, never returned to the browser, revocable by disconnecting the account in MS Host IT and/or on GitHub.
  • Least privilege: we request only the access needed for delivery workflows and document scope changes when capabilities expand.

Questions about GitHub data: support@mshostit.com.

Control plane

The dashboard app is the control plane UI. Operator areas include:

  • Available now: accounts, VPS inventory with encrypted credentials, mediated Terminal and Files (SFTP) sessions with path-aware reconnect and uploads.
  • Next (v0.5): projects bound to a VPS, GitHub connect or upload, automated Node/React deploy, deploy status on overview.
  • Later: domains and nginx assist, databases (MongoDB, MySQL, PostgreSQL), Watch Logs, firewall/regions, billing and governance.
Create a free account →

Supported stacks

SaaS v1 automated deployment focuses on React frontends and Node backends (JavaScript and TypeScript) on Debian/Ubuntu VPS hosts. Broader stacks expand after the security and operations core is solid. Unsupported stacks are called out in the product UI rather than silently failing.

Stack profile vs domains

Projects separate how the app runs (Stack) from how the edge serves hostnames (Domains). DNS automation comes later; for now, Domains is where hostname → app binding and nginx/certbot will live.

Composition

What the repo contains: frontend only, backend only, or both. This drives which package paths, install/build/start commands, and env scopes you configure.

Topology (runtime)

For full-stack projects, topology describes process layout — not nginx routing:

  • Standalone — frontend and backend run as separate processes.
  • Backend serves UI — one process; the backend serves the built frontend.

Hostname mapping, reverse proxy paths, and TLS belong under Domains, not Stack topology.

Extras

Optional paths beyond the main frontend/backend packages:

  • Package — install (and optionally build) a shared library or workspace package.
  • Files — copy a folder into the release (release root, frontend, or backend) without treating it as an app to install.

Product stages

Free — Control panel access

Live

Sign up, manage VPS credentials, and use Terminal and Files. Projects + GitHub deploy land next on the release train.

Pro — Validation & multi-environment

Planned

Deeper validation, multi-environment delivery, and productivity beyond the free core once deploy foundations are solid.

Control Plane — Full VPS delivery

Destination

Mediated remote operations with encrypted credentials, domains, databases, watch logs, billing, and audit — packaged for teams that want delivery inside MS Host IT.

Compare plans →

What we publish vs what stays private

We publish product principles, security boundaries, user-facing capabilities, pricing intent, GitHub OAuth purpose, and high-level stages.

We do not publish proprietary automation internals, unpublished schemas, runner designs before they are productized, or operational playbooks that would let a competitor reproduce MS Host IT with low effort.

Support: support@mshostit.com

Ready to try the control panel? Create an account.