Skip to main content
CodeRocket

Trust boundaries

Secure by construction, narrow by default.

CodeRocket accepts arbitrary public site URLs and stores client audit history, so network boundaries and tenant isolation are part of the product—not deployment afterthoughts.

Public HTTPS only

Every hostname and redirect is resolved over IPv4 and IPv6. Local, private, reserved, link-local, multicast, and documentation networks are rejected before fetching.

Row-level tenant isolation

Supabase RLS scopes user-facing CodeRocket rows to auth.uid(). Internal queue, Stripe event, migration, and heartbeat tables are not exposed to browser roles.

Hashed bearer secrets

Project tokens and private report tokens are generated from cryptographic randomness. The plaintext is returned once; only a SHA-256 hash remains in the database.

Signed, idempotent billing

Stripe signatures are verified against the raw payload. Processed event IDs are recorded so webhook retries cannot apply subscription state twice.

Credential boundaries

Browser-safe

  • Supabase project URL
  • Supabase publishable key
  • Owner-scoped session cookies

Server and worker only

  • Supabase service-role key
  • Direct PostgreSQL connection
  • Stripe and webhook secrets
  • Resend API key

Data lifecycle

Retention follows the plan.

A worker periodically removes audits older than the owner plan allows: 30 days for Free, 90 days for Personal, and 365 days for Agency. CodeRocket migrations are restricted to the isolated cr_* database namespace and never read or modify tables from the previous product.