​

Status

​

Context

• Conditional sections (“If you have dependents, list them”)
• Repeatable groups (“Add another household member”)
• Nested logic (“Show bank info only if direct deposit AND checking account”)

​

Decision

// src/types/schema.ts (simplified)
export type FormElement =
  | TextField
  | ChoiceField
  | GroupField      // Contains nested elements
  | RepeatedField;  // Repeatable group with min/max

export type GroupField = {
  type: "group";
  elements: FormElement[];  // Recursive!
  collapsible?: boolean;
};

​

What We’re Learning

• Schema changes don’t require migrations
• Conditional logic (expression trees) fits naturally
• Export/import forms as JSON files

• Reporting requires parsing JSON (can’t SELECT a specific field)
• Large forms = large payloads (mitigated by server components)

​

Implementation

• Schema: src/types/schema.ts
• Logic engine: src/lib/logic-engine.ts
• Renderer: src/components/engine/renderer.tsx

​

Status

​

Context

• Photo IDs and driver’s licenses
• Tax returns and W-2s
• Medical records and disability documentation
• Bank statements

​

Decision

-- migrations/004_storage_bucket.sql

-- Private bucket - no public access
INSERT INTO storage.buckets (id, name, public)
VALUES ('form-uploads', 'form-uploads', false);

-- ONLY service_role can read files
CREATE POLICY "Service role only read"
ON storage.objects FOR SELECT
TO service_role
USING (bucket_id = 'form-uploads');

// Server action (admin only)
const { data } = await supabaseAdmin.storage
  .from("form-uploads")
  .createSignedUrl(path, 60);  // Expires in 60 seconds

​

Security Model

1. Upload: Anyone (authenticated or anonymous) can upload
2. Storage path: {formId}/{uuid}/{filename} — UUIDs prevent enumeration
3. Read: Only service_role can read — no client-side access
4. Admin download: Server generates signed URL, returns to admin
5. Expiry: URLs expire in 60 seconds

​

What We’re Learning

• Zero public URLs means zero accidental exposure
• Signed URLs provide auditable access patterns
• Supabase handles the complexity

• Extra server hop for every file view
• Can’t use CDN caching (URLs change constantly)

​

Implementation

• Bucket setup: migrations/004_storage_bucket.sql
• Upload component: src/components/engine/fields/files-field.tsx
• Signed URL generation: Server actions in src/app/actions.ts

​

Status

​

Context

​

Decision

// src/lib/auth.ts
export async function authenticateWithCode(code: string): Promise<Session> {
  const { user, accessToken } = await workos.userManagement
    .authenticateWithCode({ clientId, code });

  // Session contains WorkOS user data
  return {
    user: {
      id: user.id,        // WorkOS user ID
      email: user.email,
      firstName: user.firstName,
      // ...
    },
    accessToken,
  };
}

// Check permissions manually
const session = await getSession();
if (!session?.user) throw new Error("Unauthorized");

// Use admin client for database operations
const { data } = await supabaseAdmin
  .from("submissions")
  .select()
  .eq("user_id", session.user.id);

​

What We’re Learning

• WorkOS SSO works seamlessly (SAML, OIDC, social providers)
• Local users table enables custom fields (role, preferences)
• Clean separation: WorkOS = identity, Supabase = data

• RLS policies aren’t automatically enforced (must check permissions in code)
• User sync can drift (mitigated by syncing on each login)
• Service role usage requires careful auditing

​

Future Possibilities

• Role-based access: Store roles in local users table
• Audit logs: Log all service role operations
• Directory sync: WorkOS can push org changes to our users table

​

Implementation

• Auth library: src/lib/auth.ts
• Supabase clients: src/lib/supabase.ts
• Session middleware: src/middleware.ts
• Permission checks: src/app/actions/team.ts

​

Status

​

Context

• Social Security numbers
• Financial documents
• Medical records
• Immigration status

​

Decision

​

Security Utilities (src/lib/security.ts)

​

Multi-Layer Validation

// Example: File upload has 3 layers of protection

// Layer 1: Client sanitizes filename
const safeFileName = cleanFileName(file.name);  // "../../evil.exe" → "evil.exe"

// Layer 2: Server constructs safe path
const path = buildSafeStoragePath(formId, fileId, safeFileName);

// Layer 3: Final validation before storage
const validatedPath = sanitizeStoragePath(path);  // Throws if invalid

​

XSS Prevention

import DOMPurify from 'isomorphic-dompurify';

// Before (vulnerable)
<div dangerouslySetInnerHTML={{ __html: userContent }} />

// After (safe)
<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userContent) }} />

​

What We’re Learning

• Centralized utilities make audits easier
• Automated SAST (Aikido) catches new vulnerabilities in PRs
• Defense-in-depth means individual layer failures don’t cause breaches

• Extra validation adds small latency (~1-2ms)
• Must remember to use security utilities (enforced via code review)
• Some scanners can’t trace data flow through sanitizers

​

Implementation

• Security utilities: src/lib/security.ts
• XSS sanitization: isomorphic-dompurify in client components
• SAST scanning: Aikido integration
• Documentation: docs/guides/security.mdx