Security
A minimal but professional foundation focused on tenant isolation and safe defaults.
Multi-tenant org scoping
All API requests are scoped to the authenticated organization to prevent cross-tenant data access.
Session-based authentication
Cookie-based sessions for the web portal (no local token storage in the browser).
Least privilege + separation of concerns
Storage uploads use time-limited signed URLs. Background jobs run separately from web requests.
Cloud-native deployment
Designed for stateless services and horizontal scaling on Google Cloud Run.