Auth
- Convex auth with middleware route protection
- Server-side role checks
Webhooks
- Signature verification (e.g., GitHub) before processing
RBAC
- Roles checked in Convex functions and protected UI
Data hygiene
- Strict TypeScript types; no any
- Validate inputs at edges