oxoqa exists because crypto exchanges can't ship blind. The flip side is that we hold credentials, run flows, and capture screenshots against your production stack. Here is exactly how that's done — and why we think it's safe.
Every customer is a separate workspace, isolated at the row-level by Supabase RLS policies. The runner, the panel, and edge functions all read through the same policies — there is no privileged path that bypasses them. Storage buckets are workspace-scoped; capture URLs are signed and time-limited.
Tenant credentials — API keys, test-user passwords, Twilio tokens, TOTP secrets — are encrypted at rest using libsodium sealed boxes. Only the runner worker (server-side) holds the decryption key. The panel never sees plaintext. The CLI tool encrypts before insert.
Two flags protect production tenants from destructive actions. The white-label record has prod_trading_test_enabled (off by default). Each scenario carries prod_safe (defaults to false). Both must be true before api_initiate_withdraw or any destructive action is allowed to dispatch.
Screenshots, HAR recordings, and raw network bodies live in three private Supabase Storage buckets. Each bucket has its own retention TTL (7d / 14d / 30d). A scheduled edge function (cleanup-captures) sweeps expired objects. We don't keep what you don't ask us to.
Operator auth supports email+password and magic links. Three roles — admin, qa, viewer — enforce coarse-grained access; RLS enforces fine-grained scoping. Invite flow generates one-time tokens. SSO (OIDC) is on the enterprise roadmap.
Every trigger emits a row in the run_events log: who, what, when, against which tenant. Edge functions log to Supabase's observability stack. The runner streams its own structured events to the panel's Live Console, where they're also persisted.