Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.simplefunctions.dev/llms.txt

Use this file to discover all available pages before exploring further.

Encryption

  • At rest — all Postgres data encrypted at rest by Supabase.
  • In transit — TLS 1.2+ everywhere.
  • BYOK exchange keys — AES-256-GCM with per-account derived key. Server stores ciphertext only.
  • Webhook signing — HMAC-SHA256 with per-endpoint secret.

Secrets handling

  • API keys: stored hashed (Argon2). Plain secret shown once on creation, never again.
  • Exchange keys: ciphertext only. Decryption happens in an isolated Trigger.dev process and is erased from memory immediately after use (src/trigger/portfolio-tick.ts:451-457).
  • Webhook secrets: 32-byte random per endpoint, stored encrypted.
  • Internal cron secrets: required to hit /api/cron/* (CRON_SECRET header).

Audit trail

Every async write tags rows with trace_id. The cron_run_log table records every cron execution with status, duration, rows touched, and any errors. Health alerts are written to health_alerts so the heartbeat surface picks them up. See Provenance for the full pattern.

Permissions model

API keys carry scopes (read, write, trade, admin). Live trading requires trade. MCP keys can be restricted to a subset of tools.

Webhook receiver SSRF protection

Webhook endpoints must be HTTPS. SF rejects http://, file://, gopher://, internal IP ranges (RFC1918, link-local, loopback), and any host whose DNS resolves to those.

Vulnerability disclosure

Email security@simplefunctions.dev (or patrick@simplefunctions.dev if security@ bounces). We respond within 24h.

Incident response

We post incidents at simplefunctions.dev/status with timeline, scope, and remediation. Past incidents are kept indefinitely.

See also

Authentication

Auth flavors and BYOK encryption.

Compliance

Regulatory posture.

Provenance

Audit trail mechanics.