CodeRadar's threat model assumes the system is processing the most sensitive operational data the portfolio's products produce. Architecture is shaped accordingly: project-scoped row isolation, KMS-protected secrets, OpenTelemetry-native auditability, no third-party trackers.
Every event, trace, and span row is keyed by project_id. The query layer enforces project access with row-level checks against Postgres-backed access tables. There is no cross-project data flow at the application layer — a member of project A simply cannot query project B unless explicitly added.
The dashboard's project picker is the only way to switch context. Internally that switches the JWT scope and re-queries. Server-side queries always include the project_id filter; this is enforced at the routing layer, not just the UI.
Public DSN keys are write-only and project-scoped. Personal access tokens are scoped to a list of projects and can be revoked per-token. Slack webhooks, email keys, and webhook secrets are stored as ciphertext in Google Secret Manager; the managed plane reads them via a service-account binding and never sees plaintext outside the in-memory request scope.
Self-hosted deployments use the same architecture; the Helm chart binds to AWS KMS, GCP KMS, or HashiCorp Vault for the encryption-at-rest envelope.
Three public endpoints: ingest.coderadar.app, api.coderadar.app, cdn.coderadar.app. All TLS 1.3, all behind Google Cloud Armor (managed plane). The dashboard at app.coderadar.app requires Clerk session.
Outbound traffic from CodeRadar is restricted to your configured channels (Slack, email, webhook) and the model-backend endpoints used by the AI fix pipeline (when opted in). There is no telemetry phone-home.
Within the Goodventures org, CodeRadar is multi-tenant on project boundaries. Cross-tenant data flow at the application layer is prevented by the same row-level checks. The same approach applies to the managed-external tier when it lands.
The audit_log table records every state-changing action: alert rule changes, project member changes, DSN rotation, retention overrides. Audit-log exports are per-project and personal-access-token authenticated. SOC 2 Type I evidence pack is in progress; report expected by end of 2026.
SDKs ship with a default scrub list (auth headers, password fields, common PII patterns). Override per project via beforeSend in the SDK init. Server-side, ingest applies a second-layer scrub for known credential patterns (Slack tokens, OpenAI keys, Stripe live keys) so leaked secrets never land in the events table.
The Apache 2.0 CodeWatch core can be run entirely on your own infrastructure with no outbound dependency on us. Run it air-gapped, run it in a sovereign cloud, run it in a customer's VPC. The protocol does not require the managed plane.
Reports go to [email protected]. PGP key fingerprint and a coordinated-disclosure policy on request. Critical reports get acknowledged within one business day, triaged within three.
In-scope: CodeRadar managed-plane vulnerabilities, SDK vulnerabilities, ingest/query auth bypass, project-isolation breaks, source-map fetch flaws. Out-of-scope: denial-of-service against the marketing site; social engineering of staff; physical attacks. Eligible reports receive a bounty under our coordinated-disclosure program.