Integrations

Billing, subscription lifecycle, payment processing.

Stripe → us via signed webhooks; us → Stripe via API.

Webhook signature verification + API key.

Stripe owns payment data; we own the local subscription mirror.

Outage degrades signups, not existing tenant runtime; webhook drop → daily reconciliation (planned).

Every webhook event recorded to audit trail; idempotency via provider_event_id.

Revoke API key, remove webhook endpoint; in-flight subscriptions remain intact.

Vercel

TLS edge, static + serverless hosting, deployment surface.

TLS terminates at Vercel edge; serverless functions execute in their managed runtime.

outbound

Dashboard SSO + git-based deploy on main push.

Vercel owns the runtime; we own application code, env vars, and deployment manifest.

Regional outage takes the platform offline. No alternate-hosting failover today.

Per-commit deployment statuses to the GitHub deployments API; build-time source-map gate enforced.

Instant rollback via Vercel dashboard; or git revert + push.

Neon Postgres

CompleteBlocked

Primary OLTP database — tenant data, sessions, audit log, billing mirror.

Encrypted at rest by Neon; TLS in transit; single region today.

Connection string with credentials (DATABASE_URL).

Neon owns storage and PITR; we own schema, migrations, integrity.

Outage takes the platform offline; PITR is the documented recovery path.

/health probe checks DB liveness; restore runbook documented.

PITR for data; Alembic downgrade for schema (additive migrations are reversible).

Resend

Transactional email — registration, password reset, MFA setup.

Outbound — recipient address + templated body sent over HTTPS.

Resend owns delivery and bounce handling; we own templates and triggers.

Email failure degrades auth-flow UX (password reset, MFA setup); does not block existing sessions.

Structured-log line per send with correlation id; provider response recorded.

Rotate API key; swap provider via the abstracted email interface.

Anthropic

Outbound LLM inference for agent runtime.

Prompts and tool-call payloads leave the environment for inference; responses return.

Per-tenant or platform-owned API key.

Anthropic owns inference; we own routing, prompt, and response handling.

Typed errors (auth / rate-limit / 5xx / timeout); routing-plane fallback to alternate provider when configured.

Adapter typed errors, per-call provider response auditing.

Disable adapter via routing config; rotate API key.

OpenAI

Outbound LLM inference for agent runtime.

Same as Anthropic — prompts and tool-call payloads leave the environment for inference.

Per-tenant or platform-owned API key.

OpenAI owns inference; we own routing, prompts, response handling.

Same typed-error pattern as Anthropic; routing-plane fallback applies.

Adapter typed errors, per-call provider response auditing.

Disable adapter via routing config; rotate API key.

Slack

Scaffolded

Per-tenant workspace integration for notification + agent-action surfaces.

Per-tenant OAuth-scoped access token; tokens encrypted at rest.

OAuth 2.0 with token rotation on standard refresh flow.

Slack owns the workspace and the OAuth grant; we own per-tenant token storage and connector logic.

Outage degrades notifications for connected tenants; rest of the environment is unaffected.

OAuth grant + revoke events are audit-loggable; per-tenant connector state visible in registry.

Tenant disconnects connector or revokes grant in Slack admin; per-tenant token row is removed.

OpenTelemetry

ScaffoldedNot enabled

Distributed tracing + structured-log export.

Outbound only when activated; vendor-neutral — deployment chooses the exporter target.

outbound

Vendor-specific via OTEL_EXPORTER_OTLP_HEADERS.

Adapter is owned in this repo; deployment chooses vendor and endpoint.

Exporter failure does not affect runtime — adapter degrades to no-op safely.

Self-evident; emission gated by OTEL_ENABLED.

Unset OTEL_EXPORTER_OTLP_ENDPOINT; spans stop emitting on the next process.

Sentry

ScaffoldedNot enabled

Application error capture and aggregation.

Outbound — errors with stack traces would leave the environment if DSN is set.

outbound

DSN (Sentry-issued URL with embedded credential).

Sentry owns aggregation; we own the frontend SDK + 3 configs and the planned PII scrubber.

None today — DSN unset in Vercel production, SDK initializes as no-op, captureException calls degrade silently.

Self-instrumentation only when DSN is set; backend errors flow through structured logging.

Unset DSN env vars in Vercel; configs become no-op on next deploy.

GitHub + Actions

Source-of-truth code, CI runner, deployment hook surface.

Source code on GitHub; CI runners on GitHub-managed compute; main push triggers production deploy.

SSH keys for git; GitHub App token for deployment-status surface.

GitHub owns hosting and runner compute; we own workflows and the deployment manifest.

Outage prevents new deploys; running production surface is unaffected.

Per-commit check runs (Sanity / Lint / Unit Tests / CI Summary); deployment-status events for both Vercel projects.