Sellavie.ai launch hardening: the work nobody sees until it fails
A security and launch pass across the Sellavie backend, dashboard, mobile app, CI, logging, and generated artifact hygiene.
I spent a day treating Sellavie like a launch-risk review instead of a feature sprint.
That matters because AI commerce does not only fail when the model says the wrong thing. It can fail when logs expose secrets, a generated worktree gets committed, CI misses sensitive files, request IDs are missing, or frontend and mobile behavior does not match the backend's safety assumptions.
What I found
The strongest parts were already real: business-scoped authorization, protected web auth, launch docs, regression tests, billing paths, Meta integration work, and a product surface that was much bigger than a chatbot demo.
The risky parts were around hygiene and observability:
- generated worktrees sitting near source code
- exported asset folders that could accidentally get committed
- brittle secret scanning that could false-positive on its own workflow text
- exception strings that could leak secret-shaped values
- request tracing that was inconsistent enough to make incident review painful
What changed
The fix pass tightened CI secret scanning, expanded gitignore rules, hardened log redaction, and added regression coverage around request IDs and sanitizer behavior.
That is not a glamorous feature. It is the kind of work that keeps a live product from slowly accumulating sharp edges that only matter when something goes wrong at 2am.
The honest observation
Security gets treated as a phase gate, not a practice. You tick the boxes before launch and move on.
The problem is that the dangerous gaps are usually not in the features you checked — they're in the operational layer around them: what gets logged, what gets committed, what the CI misses, what support can see when something breaks. Catching those before launch is much cheaper than catching them after.