Sellavie.ai security: TOTP and safer deletion flows
Strengthening account protection and data deletion behavior before the product got more operational surface area.
By mid-February, Sellavie had enough product surface that account protection started to matter more.
This phase added TOTP and safer data-deletion behavior, with regression tests around SQL flows.
Deletion is harder than it looks
Adding deletion is easy to describe and hard to do safely.
A business account on Sellavie can connect products, conversations, orders, invoices, settings, platform credentials, training data, team records, and logs. Delete the wrong thing, or delete in the wrong order, and you leave broken foreign key state, orphaned records, or — worse — you lose data the customer expected to keep.
The regression tests were specifically around the SQL execution path. It is the kind of thing that is easy to get right in happy-path testing and wrong in production, when accounts have real data relationships rather than the clean scaffolding from a seed script.
TOTP at this stage
For a business-facing product, stronger admin access is not a luxury.
The admin account controls platform credentials, team members, billing, AI training data, and conversation history. If it is only protected by a password, the blast radius of a credential leak is the entire business account.
Adding TOTP before the product had more users was the right call. It is much easier to add this before the credential security model is baked into existing sessions than to retrofit it later.