Built like the platform team it replaces.
Security is a load-bearing differentiator for a platform handling member rosters, revenue data, and PII for hundreds of communities. Every layer below is shipped today — the same posture the platform team would have demanded if you'd hired them.
Seven pillars of trust.
The architecture, the controls, the defaults. No platform-team handwave — every claim maps to code already in production.
Authentication
- 1-hour JWT access tokens (HS256) in httpOnly cookies — short-lived by design.
- 30-day refresh tokens stored in Valkey with atomic rotation via a 4-key Lua script — no race conditions.
- Family revocation on reuse-attack detection — a stolen refresh token wipes the entire token family on next use.
- Fail-closed on Valkey unavailability — refresh returns 503 rather than skip the revocation check.
- Native email + password with strength validation, environment-aware secure / sameSite cookie settings, configurable cookie domain for cross-subdomain support.
Authorisation (RBAC)
- Five roles — member, coach, admin, super_admin, support — gated globally by an onRequest Fastify hook for approval status.
- Per-route requireRole(...) decorators on every protected handler.
- Tier-based feature access via requireTierAccess(featureKey) — billing and capability checks in a single call.
- Per-tenant PlatformPermission enum (platform__leads__read, platform__leads__approve, …) for super-admin granularity.
- Read-only impersonation enforced by blocking POST / PUT / PATCH / DELETE for the support role.
Multi-tenant isolation
- Every database row carries tenantId — never optional, never implicit.
- Every Valkey key, file path, queue job, and Qdrant collection is tenant-namespaced.
- Cross-tenant access requires an explicit requireSuperAdmin() check — there is no shared-by-default surface.
Secret management
- All third-party API keys are envelope-encrypted at rest (AES-256-GCM via a KMS-backed master key).
- Secrets resolved through a lazy DB-first reader with a 5-minute Valkey TTL — rotation takes effect within seconds, no deploy required.
- Bootstrap secrets (DB URL, JWT secrets, encryption keys) stay in environment variables; everything else lives in the encrypted DB store.
Webhook security
- Outbound webhooks signed with per-endpoint HMAC secrets — receivers can verify integrity and origin.
- Inbound webhooks (Resend, Stripe, Zoom) verified with the provider-specific signature scheme — Svix, Stripe-Signature, Zoom JWT.
Data integrity
- Member approval gating prevents pending or rejected users from accessing app data.
- Welcome post approval queue prevents AI-drafted intros from publishing without admin review.
- Wallet drift detector reconciles ledger sums vs balances nightly, with alerting.
- Connection state machine prevents invalid pipeline transitions.
- Every admin action on a member emits an audit-log entry.
PII protection
- AI traces redact PII from routingReason, delegationDecision, and error columns before they ever land in observability.
- Public sharing slugs are 12-character random strings — no enumeration, no scraping.
- Map view honours per-member granularity preferences (city / region / country / hidden).
Technology summary
The stack, in one place.
Boring choices where boring wins. State-of-the-art where it earns its keep. Every vendor below is one we'd defend in a customer architecture review.
- Frontend
- Next.js 16 (App Router) · React 19 · Tailwind CSS v4 · TypeScript
- Backend
- Fastify 5 · Prisma ORM · TypeScript
- Database
- PostgreSQL — DigitalOcean Managed
- Cache + queues + WebSocket pub/sub
- Valkey — Redis-compatible, DigitalOcean Managed
- AI
- OpenRouter — Llama 3.3 70B · Llama 3.1 8B · Llama 3.2 11B Vision
- Embeddings + reranking
- Cohere
- Vector DB
- Qdrant Cloud
- Voice
- Deepgram
- File storage
- DigitalOcean Spaces — S3-compatible
- Resend
- Payments
- Stripe — multi-gateway abstraction-ready
- CDN + DNS + WAF
- Cloudflare
- Deployment
- DigitalOcean droplets · active-active blue/green · Caddy reverse proxy
- CI/CD
- GitHub Actions — reusable workflows, OIDC, Depot acceleration, Trivy scanning
- Observability
- Sentry (errors) · PostHog (product analytics + LLM observability) · AiTrace (AI tracing)
- Super Admin SPA
- Vite · React 19 · TanStack Router · TanStack Query · Radix
See the full source-of-truth in the platform's knowledge base. Every dependency is pinned, audited via Trivy on every CI run, and ratchet-updated on a documented cadence.
Apply to launch your community.
Sebastian reads every reply. We'll align on fit, walk you through the platform, and stand up your tenant on a custom domain in under a day.