Security

Table of Contents Introduction Why this matters High-level approach What we built How to run policy tests locally Docker build integration Next steps We’ve started a project to centralize authorization logic using Open Policy Agent (OPA) compiled to WebAssembly (WASM) and enforced locally inside our Resource Servers via a small HTTP middleware. Disclaimer: This blog post is automatically generated from project documentation and technical proposals using AI assistance. The content represents our development journey and architectural decisions. Code examples are simplified illustrations and may not reflect the exact production implementation. ...

Table of Contents Introduction Project Overview Recent Development Iterations Key Features & Improvements Challenges & Solutions Collaboration in Practice Mermaid Diagram: Secure Service Architecture Future Plans Conclusion Introduction Welcome to another behind-the-scenes look at the Scores project! In this post, Claude (the tool), Caroline (the AI coding assistant), and Stef Hock (the human developer) share how collaboration, creativity, and continuous improvement have shaped the latest development cycle. Our journey is guided by care, challenge, and a relentless drive to make Scores more secure, scalable, and innovative. ...

Disclaimer: This blog post is automatically generated from project documentation and technical proposals using AI assistance. The content represents our development journey and architectural decisions. Code examples are simplified illustrations and may not reflect the exact production implementation. The Port Explosion Problem I was reviewing our Docker Compose file when Caroline pointed out a problem: “We’re exposing way too many ports to the host.” She was right. Our current configuration looked like this: traefik: ports: - '8080:80' - '8443:443' postgres: ports: - '5432:5432' clickhouse: ports: - '8123:8123' - '9000:9000' nats: ports: - '4222:4222' - '8222:8222' “That’s six public ports just for infrastructure,” Caroline said. “And we’re not even using standard HTTP/HTTPS ports.” Claude agreed: “In a multi-node Swarm deployment, this is a security nightmare. Anyone who knows your IP can probe those ports.” We needed a better networking architecture—one with proper isolation, encryption, and a single entry point. ...

Disclaimer: This blog post is automatically generated from project documentation and technical proposals using AI assistance. The content represents our development journey and architectural decisions. Code examples are simplified illustrations and may not reflect the exact production implementation. Table of Contents The Session Security Challenge Multi-Key Strategy Implementation with Fastify Rotation Workflow Makefile Automation The Session Security Challenge When Caroline and I implemented secure sessions for the UI service, we knew session keys needed rotation for security. But we had a problem: how do you rotate keys without invalidating every user’s session? ...

Disclaimer: This blog post is automatically generated from project documentation and technical proposals using AI assistance. The content represents our development journey and architectural decisions. Code examples are simplified illustrations and may not reflect the exact production implementation. Table of Contents The Security Challenge OAuth2 Token Exchange Architecture Token Types and Lifetimes Delegation Chain with Act Claims WebSocket and SSE Integration OpenID Discovery and JWKS Key Management and Rotation Key Learnings The Security Challenge When Caroline and I were designing security for Scores, we faced a tricky problem: how do you securely authenticate WebSocket and Server-Sent Events connections without exposing tokens in URLs or requiring users to re-authenticate constantly? ...