Status

live

Integration health

Every external service this project talks to is optional. Missing credentials don't break the app — they degrade to a graceful fallback. This page shows which paths are currently live.

Database (Neon Postgres)
required
Connected to a Postgres instance — every authenticated flow works end-to-end.
● live
Auth.js (JWT)
required
JWT session strategy configured.
● live
GitHub OAuth
required
Sign in with GitHub is live (recommended for reviewers).
● live
Google OAuth
optional
Sign in with Google is live (still in Google's Testing status — only pre-registered users).
● live
Gemini 2.5 Flash (Knowlex)
optional
/playground streams live Gemini 2.5 Flash answers. Per-IP + global budget caps in place. More →
● live
Pusher Channels (realtime)
optional
broadcast() is a no-op; board state refreshes on your own mutations. Free-tier Pusher Sandbox (200k msg/day) is enough to enable.
● demo / fallback
Resend (invitation emails)
optional
Invites still succeed — the accept URL is surfaced in the UI and logged to the server console; Resend delivery just doesn't fire.
● demo / fallback

Cost stance

$0/month under adversarial traffic. Full threat model in COST_SAFETY.md.

Security headers

A on securityheaders.com — rolled back from A+ (nonce + strict-dynamic) to a static CSP per ADR-0040 to fix Vercel platform-script hydration.

API contract

OpenAPI 3.1 served at /api/openapi.json, interactive reference at /docs/api.

Integration health

Database (Neon Postgres)

Auth.js (JWT)

GitHub OAuth

Google OAuth

Gemini 2.5 Flash (Knowlex)

Pusher Channels (realtime)

Resend (invitation emails)

Cost stance

Security headers

API contract