Security
Secure by design
Multi-tenant isolation through Row-Level Security. Every query workspace-scoped. Every external input validated at the boundary.
Isolation
Multi-tenant architecture
Every table has a workspace_id column. RLS policies enforce boundaries at the database level. Cross-workspace data access is architecturally impossible.
Incoming Request
|
Authentication (Supabase SSR, getAll/setAll cookies)
|
Workspace Resolution (workspace_id from session)
|
Schema Helper Routing
queryCore() / queryCRM() / queryIntelligence() ...
10 typed helpers enforce schema boundaries
|
Row-Level Security
Every table: workspace_id = auth.workspace_id()
Cross-workspace access: architecturally impossible
|
Workspace-Scoped ResponseAuthentication
Session management
SSR cookie pattern
Supabase SSR with getAll/setAll synchronization. The legacy get/set/remove pattern causes silent auth failures.
Proxy-based refresh
Next.js 16 uses proxy.ts for session refresh. Cookies synchronized between request and response.
OAuth integration
Automatic token refresh for Google, Microsoft, and Slack. Per-workspace credentials with RLS protection.
MCP authentication
Every handler receives authenticated context. workspace_id derived from session. Handlers throw on missing auth.
Data scoping
10 typed schema helpers
Every query goes through a typed helper. Bare .from() calls are banned. They bypass schema routing and workspace scoping.
queryCore()queryCRM()queryIntelligence()queryIntegrations()queryTasks()queryCanvas()queryAdmin()queryChat()queryOnboarding()queryBookings()
Resilience
API defense
Circuit breakers
Gmail, Slack, Recall, Perplexity each wrapped to prevent cascading failures when a service is down.
Retry with backoff
Exponential backoff on 429, 5xx, and network errors. Maximum 3 attempts.
Webhook idempotency
HMAC signature verification. Deduplication keys. Failure alerting on every endpoint.
Rate limiting
Per-workspace and per-user API throttling for fair resource allocation.
Audit
Audit trails
| System | Tracked | Storage |
|---|---|---|
| Resolution decisions, merge history, alias changes | entity_audit_engine | |
| Every AI call: model, tokens, cost, latency | admin_ai_usage_log | |
| Every agent execution: success, failure, output | heartbeat_runs | |
| Incoming webhooks: source, processing result | Alerting system | |
| Status transitions, errors, timing | intelligence_status | |
| Conversation turns: tools used, cost | chat_messages |
Code safety
Development practices
Zero any types
1.2M lines of strict TypeScript. No escape hatches. Every value properly typed.
Zod validation
All external data validated at boundaries with Zod schemas. No type assertions on request bodies.
No type assertions
No as casts except fromStepOutput for Inngest serialization. Fix root cause, not symptoms.
Atomic operations
No read-modify-write under concurrency. All counters use atomic SQL increment.
Talk to Sentigen
Have questions about what you're reading? The intelligence behind this platform can walk you through it.

