01 — Source Control & CI/CD Pipeline
Developer Workflow
Local Dev
💻
Local Dev
Vite · TypeScript
🔒
Pre-commit Hook
Secrets scan · Lint
SECURITY
🐙
GitHub
vaultfolio/platform
⚙️
GitHub Actions
CI · Build · Test
Build Matrix
🏗️
Web Build
Vite · React · TSC
🏗️
API Build
esbuild · Node.js
🔍
SAST Scan
CodeQL · Semgrep
SECURITY
📦
Dependency Audit
npm audit · Snyk
SECURITY
✅
Deploy Trigger
Wrangler + Railway
PASS
02 — Edge Security & CDN (Cloudflare)
Cloudflare Edge Network — Global PoPs
User Request
📱
User Browser
iOS · Android · Web
🛡️
CF WAF
OWASP · DDoS
EDGE
🌐
CF DNS + Proxy
vaultfolio.ai
EDGE
📄
CF Pages
app · docs · lab
CDN
CF Pages Domains
🔐
app.vaultfolio.ai
React SPA · Auth
📋
docs.vaultfolio.ai
Investor Portal
🔬
lab.vaultfolio.ai
Data Lab Demo
🚀
api.vaultfolio.ai
→ Railway (proxy)
Security Headers
🔏
HSTS
max-age=63072000
SECURITY
🚫
CSP
default-src 'self'
SECURITY
🖼️
X-Frame-Options
DENY
SECURITY
🔒
Permissions-Policy
cam=() mic=() geo=()
SECURITY
📵
no-store Cache
Sensitive routes
03 — API Layer (Railway)
Railway — ap-southeast-2 — Node.js / Express
API Security
🪪
API Key Auth
Middleware · Bearer
AUTH
⏱️
Rate Limiter
100 req/15 min
SECURITY
🧹
Input Sanitizer
XSS · Injection
SECURITY
🪖
Helmet.js
Security headers
SECURITY
🛣️
Route Handlers
VF500 · Valuation
API Routes
💰
/valuation
Item pricing
🖼️
/image-search
AI recognition
✨
/enrich
Data enrichment
04 — Data Layer (Supabase)
Supabase — ap-southeast-2 — PostgreSQL + Auth + Storage + Edge Functions
Auth Flow
🍎
Apple OAuth
Team K7268PHKD2
🔵
Google OAuth
PKCE · Implicit
🎫
JWT Token
RS256 · 1hr TTL
DB AUTH
🛡️
Row Level Security
user_id = auth.uid()
RLS
🗄️
PostgreSQL
items · categories
DATABASE
Storage
📸
Photo Upload
JPEG · PNG · WebP
🪣
vault-items bucket
Public CDN · RLS
STORAGE
🔗
Signed URLs
Time-limited access
SECURE
Edge Functions
⚡
portal-access-request
Resend → luke@
⚡
claim-item
Mint · Verify · Transfer
⚡
psa-ingest
Registry pipeline
05 — Email Stack
Google Workspace + Resend
Email Flow
📧
Google Workspace
luke@vaultfolio.ai
📬
Resend API
Transactional
🔏
SPF · DKIM · DMARC
Email auth trifecta
SECURITY
📮
Aliases
eng· ops· billing· sec@
Zero Trust Auth
Every API call requires a valid Supabase JWT. Row Level Security ensures users can only access their own data. No admin backdoor on the anon key.
Secrets Management
No secrets in source code. API keys via Railway env vars. Supabase service role key never exposed to the client. Pre-commit hooks scan for exposed credentials.
Edge Security
Cloudflare WAF blocks OWASP Top 10 at the edge before any request reaches origin. DDoS protection, bot filtering, and TLS 1.3 enforced globally.
Supply Chain
GitHub Actions runs CodeQL SAST and npm audit on every push. Dependency vulnerabilities block deployment. No untrusted packages reach production.