Operations

Security Checklist

Dependency scans, secret rotation, and access review

Dependency Scans

Run:

$pnpm security:deps

Minimum cadence: weekly and before releases.

Secret Rotation (Quarterly)

Rotate these on a regular schedule or after any suspected exposure:

  • BETTER_AUTH_SECRET
  • ENCRYPTION_KEY
  • CLOUDFLARE_R2_*
  • OPENROUTER_API_KEY
  • COMPOSIO_API_KEY
  • E2B_API_KEY
  • GITHUB_TOKEN
  • DISPATCHER_API_KEY

Process:

  1. Create new secrets in the provider.
  2. Update deployment environment variables.
  3. Restart services.
  4. Verify auth, uploads, agents, and integrations.

Access Review

  • Audit admin users in user.role.
  • Rotate API keys for dormant users.
  • Remove unused OAuth providers.

Security Headers

Production security headers are enforced in apps/api/index.ts.