Architecture & SLOs

• Frontend & API: TanStack Start on Cloudflare Workers (edge SSR + server functions).
• Database: Managed Postgres with row-level security; one row per tenant on every fact table.
• Ingest: Shopify webhooks → signed HTTP route → Postgres; bulk-history sync jobs run as background tasks with idempotent upserts.
• Auth: Supabase Auth (JWT). Server-side functions verify the bearer token on every call.

• Every user-data table has organization_id + RLS policy gated on auth.uid() membership.
• Service-role writes (sync workers, simulations) bypass RLS but are scoped to a single org per job.
• Demo & simulation orgs carry is_demo/is_simulation flags, surfaced in the admin console.

• Worker-friendly batching. Long jobs (bulk sync, simulations) are split into ≤10s server-fn invocations and chained from the client. No single Worker request runs past its CPU budget.
• Indexed hot paths. orders (organization_id, sku_id, ordered_at) and stock_history (organization_id, sku_id, date) are the queries we measure in /status.
• Webhook idempotency. Shopify event IDs are deduped at insert via unique constraint; replay storms are absorbed.
• Realtime view-models. Dashboard counts come from materialized aggregates updated by triggers, not SELECT COUNT(*) at request time.

A nightly GitHub Actions workflow runs a k6 load test against the published API and posts results to load_test_runs. On demand, SuperAdmins can spin up a 500k-order synthetic tenant via the scale-sim harness — it runs the real ingest + analytics path and emits a token-gated /scale-report/$token page anyone can review.

• This is a small platform run by a small team. The numbers above come from continuous measurement, not marketing.
• We publish failures: every degraded interval shows on /status.
• Scale-report links expire and are not indexed; share them with prospects who ask for proof.