Security

Vercel disclosed an env-var enumeration on 2026-04-19. We audited this project the next morning, rotated every secret, and moved them all to Vercel's “Sensitive” flag. No user data was stored that could be read even in the worst case, because we don't store any.

2026-04-19. Vercel's security team notified customers that a third-party OAuth app (Context.ai) used by a compromised employee's Google Workspace account had been granted deployment-scope access. Env vars on affected projects that were not flagged “Sensitive” were enumerable via the Vercel API. No payment data or source was reported stolen.

2026-04-20 (us). We ran a complete audit of this project's Vercel environment. Every secret was rotated at its source (Anthropic, Upstash, AWS IAM, our admin key, cron signer). The fresh values were re-added with the “Sensitive” flag set. The old entries were deleted.

• What you type. The problem description and any image. We need it to run the analysis.
• The generated result. 30-day TTL in Upstash Redis, then auto-deleted.
• Your IP and rough geolocation. Used for rate limiting and admin notification metadata. Not tied to result IDs.
• User-Agent. Included in admin notifications.
• Analytics (Vercel + Clarity). Cookieless page views via Vercel Analytics. Microsoft Clarity is gated behind consent — see the cookie banner.

We do not collect: passwords, payment cards, government IDs, health records. There is no login.

We pin to claude-sonnet-4-6 on the Anthropic API. Anthropic ships Opus / Sonnet / Haiku tiers; we use the latest Sonnet-class model for balanced cost and quality. When Anthropic releases a new version, this string is the single source of truth — privacy and security copy both read from it.

Anthropic API key

Rotated 2026-04-20. New key flagged Sensitive in Vercel.

Upstash Redis REST token + URL

Token rotated 2026-04-20. Both now flagged Sensitive.

AWS SES access key

Deleted and reissued 2026-04-20. IAM policy scoped toses:SendEmailonly. Both env vars flagged Sensitive.

Admin secret key

Regenerated 2026-04-20. Flagged Sensitive.

Cron signer (CRON_SECRET)

Regenerated 2026-04-20. Flagged Sensitive.

Microsoft Clarity project ID

Not a secret — ships in HTML to any visitor. Kept for analytics; loading is opt-in (see privacy policy).

Assume every non-Sensitive env var on Vercel was readable between 2026-04-XX and 2026-04-19. We have no evidence this project was targeted, but we rotated regardless.

• All admin endpoints moved off query-param auth to x-admin-key header with constant-time compare.
• URLs returned by the AI for competitor links are validated (HTTPS-only, no credentials-in-URL, no IP literals, tracking params stripped) before rendering.
• A pre-commit gitleaks hook now blocks any accidental secret from reaching even a local commit.
• GitHub Secret Scanning and Push Protection are enabled on this repo.

Email sattyamjain96@gmail.com. Include your result URL if you want us to delete a specific analysis — GDPR Art. 17 erasure is one command on our end and we respond within 72 hours.

We publish a status note here whenever a rotation happens, not just when a vendor discloses. The site is on Vercel; we'll evaluate migrating if the monthly post-incident bulletin shows another class of compromise. Premature platform moves are usually worse than staying put.