Release Gate
Before production or enterprise-facing releases:- Rotate or explicitly confirm all production secrets that could have been exposed.
- Verify preview deployments do not expose production secrets or production data.
- Confirm WorkOS callback/logout URLs match approved origins.
- Confirm Stripe webhook signing is active and portal access is bound to the authenticated customer.
- Confirm R2 buckets remain private and object access is owner-scoped.
- Confirm Daytona/browser/sandbox flows cannot inherit provider keys, cloud admin credentials, or long-lived tokens.
- Confirm rate limits protect auth, billing, AI, browser, and sandbox endpoints.
- Confirm logs and alerts cover auth failures, billing anomalies, CSP reports, rate-limit spikes, and abnormal sandbox usage.
Required Code Properties
- Provider keys must never be returned to clients.
- Billing portal, checkout, and top-up flows must bind to the authenticated user.
- Native session transfer must validate PKCE and state.
- Internal API calls should use short-lived service auth, not a static root secret over the wire.
- R2 object keys must be validated against the authenticated owner.
- Sensitive
/api/v1/*routes must use centralized route boundary validation and must not rely on browser-detection headers.
Convex Security Workflow
Ifconvex/ auth, authorization, billing, usage, or storage logic changes:
convex:push:prod for production and convex:push:dev for the dev backend. Do not pass .env.local to production Convex deploy commands.