Security
This page focuses on practical production hardening for the Mission Control web console and gateway. Use it as a checklist when preparing pilots, enterprise evaluations, and public demos.
Keep SUPABASE_SERVICE_ROLE_KEY server-only (Gateway). Web uses NEXT_PUBLIC_SUPABASE_ANON_KEY only. Configure Vercel environment variables per project and avoid committing real secrets to git.
In Supabase Auth, set Site URL to your production domain and add Redirect URLs for production + preview. Keep callback route at /auth/callback and validate next= redirects to prevent open redirects.
Enable RLS for all tenant-scoped tables. Ensure policies restrict reads/writes to authenticated users in the same org/workspace. Prefer RPC for privileged actions.
Gateway should enforce basic rate limits per user/org (token bucket). Start with conservative limits and tune with real usage. Protect expensive routes (chat, embeddings, agent runs).
Log correlation IDs across Web and Gateway. Capture agent run IDs, mission IDs, and tool-call summaries. For production, ship logs to a managed sink (e.g., Vercel Log Drains).
Lock gateway CORS to your Web origin(s). For Vercel previews, allow *.vercel.app only if you accept the risk; otherwise restrict to specific preview URLs.
- 1) Set Vercel env vars for Web and Gateway (no secrets in Web).
- 2) Configure Supabase Auth providers and redirect URLs.
- 3) Apply RLS policies and validate with test users.
- 4) Confirm Gateway base URL in NEXT_PUBLIC_GATEWAY_URL.
- 5) Run pnpm build locally for both projects; fix any route typing warnings.