Running in Production
What an operator needs once the code is written. Porulle is hardened by audit (five-round adversarial security review, all criticals closed) but the wiring depends on you.
Deploy Bun, Node.js, Cloudflare Workers, Fly.io. Migration strategy, secrets, health checks.
Multi-Tenancy Org resolution profiles (B2C single-storefront vs B2B multi-tenant), strict mode, store resolver.
Webhooks and Audit Outbound webhook delivery, signature verification, audit log, processed-events idempotency.
Security model
Section titled “Security model”Adopter-facing security documentation lives in the Security Model (mirrored from the canonical SECURITY.md at the repository root) — threat model, what the framework defends against, what it does not, the rate-limit layers, cookie hygiene, CSP recommendations, SSRF guards, audit log scope.
That document is the one to send to a buyer’s security review team.
Where to next
Section titled “Where to next”- Reference → Configuration — every config field
- Reference → Job Queue — durable claim-based queue, the substrate behind webhook delivery and async work
- Concepts → Identity Model — actor, principal, store resolution