The boring parts are done. Properly. Auth, payments, email, security, analytics, deployment, and CI/CD, configured, tested, and working together. Not scaffolded and left for you to figure out.
Supabase Auth with email/password, magic links, and OAuth providers (Google, GitHub). Server-side session management with httpOnly cookies. Row-Level Security policies at the database level. Rate limiting on auth endpoints (5 attempts per 15 minutes per IP). A swappable adapter pattern supports switching to NextAuth, Clerk, or a custom provider.
Stripe integration with a complete webhook handler covering checkout sessions, subscription lifecycle (created, updated, deleted), invoice payments, trial expiry warnings, refunds, and disputes. Failed deliveries are captured in a dead-letter queue and can be replayed, so payment events never disappear silently. Subscription status tracked in the database. Pre-built pricing page and customer portal. Stripe test keys are blocked in production.
Resend API with React Email templates. Five pre-built emails: welcome, password reset, subscription confirmation, payment failed, and trial ending. Email-safe design tokens for consistent styling. i18n support built in.
Row-Level Security at the database level. Input validation with Zod schemas on all forms and server-side re-validation. CSRF protection on API endpoints. Content Security Policy headers. Secret scanning with Gitleaks on every commit. Rate limiting on auth and AI endpoints. Error masking to prevent internal detail leaks. OWASP LLM Top 10 hardening for AI features.
Authorization layers on top of authentication. The floor is Row-Level Security: every table is user-scoped by default and enforced at the database, so data stays isolated even if application code has a bug. Above that, an opt-in RBAC foundation adds teams, roles, invitations, and a role hierarchy (owner, admin, member, viewer). Membership changes run through a service-role layer, so checks hold at three points: the database, the TypeScript service, and the API. Basic teams and roles ship ready to use. Full multi-tenancy (org switching, per-tenant billing) is a foundation you build on, not a finished feature. Attribute-based rules (ABAC) aren't included; the RLS policies are where you'd extend to them.
Soft deletes with deleted_at timestamps instead of permanent removal. RLS policies automatically filter soft-deleted records, so they're invisible to queries but preserved for audit trails and foreign key integrity. Concurrency patterns include SELECT FOR UPDATE locking to prevent race conditions on critical operations and advisory locks for queue processing. Zero-row mutation detection catches silent failures when an update targets a deleted or already-modified record. These patterns ship with the teams and permissions system, not as theoretical docs.
PostHog integration with consent-gated, privacy-first tracking. Blocked by default until the user accepts the consent banner. Proxied through your domain for same-origin requests. Text and attribute masking for session recordings. URL sanitization to strip tokens and emails. AI-specific events log model, tokens, and latency only, never prompts. Queryable by Claude through MCP, so you can pull signups, funnels, and AI cost straight from chat. See Claude Code integration.
30+ GitHub Actions workflows. Type checking, linting, and tests on every pull request. CodeQL analysis, Gitleaks scanning, dependency review, and accessibility audits. Automated PR labeling, bundle size monitoring, database migration validation, and AI-powered code review via CodeRabbit. Post-deploy smoke tests and synthetic monitoring.
Sinter deploys to Vercel through GitHub. Push to your repository and the build runs, tests gate the deploy, and the app goes live. Connect a custom domain and SSL is provisioned automatically. Environment variables are validated with Zod at build time, so a missing or malformed secret fails the build instead of reaching production. Every pull request gets its own preview deployment with a unique URL. The repo ships a full deployment guide covering the first-deploy checklist, environment groups, database migrations, and webhook setup.
Sentry integration pre-configured with source map support. Sanitization of component stacks and sensitive fields. Session recordings optional.
$249 one-time. Lifetime access. Unlimited projects.
Get Sinter: $249