Private app routes
Dashboard, project, billing, and mutation routes are protected by alpha access while production auth is hardened.
Security
Designed for controlled website factory workflows.
MasterEngine is in private alpha. The current posture prioritizes gated app access, hosted secrets, reviewed public content, cost guardrails, and clear side-effect boundaries.
Hosted secrets
Supabase, OpenAI, Stripe, admin, and cron secrets belong in hosted environment variables or untracked local env files.
Workflow controls
Usage, billing, review, and deployment guardrails are evaluated before expensive execution.
Reviewed publishing
Only reviewed public pages should be indexable. Drafts and internal tooling stay out of the sitemap.
Current security checklist
- Keep app routes noindexed and disallowed in robots.txt.
- Validate mutations in route handlers and server-side schemas.
- Store Stripe webhook events idempotently.
- Keep generated directives in review states before external side effects.
- Avoid fabricated claims, fake testimonials, and unreviewed AI content.
- Add account-scoped auth before broad customer access.