Security

Reviewed by counsel pre-launch — final review pending. Material questions can be directed to [email protected].

CAREER iNTEL is built on twelve foundational security controls. We list each here with implementation detail so you can audit our claims against the architecture.

1. Tenant isolation (RLS)

Every multi-tenant table is RLS-protected via PostgreSQL policies. The withUserContext() wrapper sets the per-request user context within a Prisma transaction; ESLint blocks raw Prisma queries outside packages/db/. Testcontainers CI test runs across every PR.

2. OpenBao envelope encryption (ADR-003)

Per-user encrypted columns use AES-256-GCM with a per-call data encryption key (DEK) Transit-wrapped under a per-user master key. Quarterly DEK rotation per ADR-004. Account delete cryptographically shreds the master key — the encrypted records become permanently unreadable.

3. Cloudflare Access on /admin + /ops

Staff admin surfaces are gated by Cloudflare Zero Trust Access policies. The Coolify panel and Payload v3 Admin require IdP authentication + WebAuthn 2FA via the proxy.ts middleware extension.

4. WebAuthn 2FA for staff

Destructive admin paths (/admin/refunds, /admin/users/[id]/hard-delete) require a fresh WebAuthn assertion within a 5-minute window in addition to CF Access. Implemented APPEND-ONLY in proxy.ts (S6b ADM-07).

5. Prompt-injection sanitizer (SAFE-02)

Every user-input field passes through a 36-pattern sanitizer before AI prompt concatenation — control sequences, jailbreak signatures, and suspected encoded payloads stripped.

6. Hallucination guardrail (SAFE-04, CLAUDE.md #13)

Two-layer: regex catches obvious fabrications (years, dollar amounts, companies not in source); cheap-tier LLM validator confirms claim-grounding. Auto-retry once with stricter wording; second reject surfaces user-facing error.

7. 3-layer AI cost guard (CLAUDE.md #15)

Layer 1: per-request 50k token cap. Layer 2: per-user daily Redis bucket keyed by plan tier. Layer 3: global circuit breaker reading monthly burn percentage — falls back to free-tier read-only at 100% spend.

8. 200-profile bias evaluation (SAFE-05, SAFE-06)

Synthetic 200-profile bias eval baseline against scoring + tailoring prompts. Quarterly cadence calendared via .github/workflows/bias-eval.yml (next run: 2026-08-19). chi-square p > 0.05 OR |Δ| Score > 3 fails the workflow + triggers Sentry alert.

9. SBOM + Trivy + Grype + OSV-Scanner (DEP-08)

Every CI build emits a CycloneDX SBOM and scans with three independent vulnerability scanners. Critical CVE in lockfile blocks merge AND release. Coolify image versions gate-checked on every deploy per CLAUDE.md #9.

10. Blue/green Coolify deploy + pgBackRest

14-day rollback retention via Coolify blue/green slots. pgBackRest backups with 30-day retention; restore drill performed within the last 14 days of any launch (DEP-09). Backup tombstones expire after 90 days.

11. staff_access_audit table

Every staff read of user-scoped PII is logged with reason, timestamp, and record ID. Available on SAR request. Audit log retention: 6 years (regulatory).

12. Sentry + Uptime Kuma + Coolify metrics

SaaS Sentry with PII scrubber (cookie, cf-access-jwt, email, IP stripped). 10 Uptime Kuma monitors at status.careerintel.app. Coolify metrics dashboard. Phase 5: OpenTelemetry + Grafana Tempo distributed tracing migration.

Annual pen test (lite scope) reports available under NDA. Email [email protected] to request the latest report.