Session Security and Recovery

Practical auth/session policy for Release Trace and clear response steps if account access is suspected to be compromised.

Docs Account App

Session policy

Release Trace protects all app routes and private APIs with Clerk-based authentication plus server-side guards. Session lifetime and inactivity timeout are configured in Clerk Dashboard (not in this repository), so they must be verified before every production release.

- Verify Clerk production instance is active (live keys only in production).
- Verify session lifetime policy in Clerk Dashboard Security settings.
- Verify inactivity timeout policy in Clerk Dashboard Security settings.
- Verify "revoke all sessions" control is available to the user.

Sensitive action review

Current beta policy uses active session checks for sensitive operations. Step-up re-auth is not enforced yet; this is explicitly accepted for the beta phase and should be revisited before GA.

Action	Current control	Re-auth	Status
Create/finalize release run	Clerk session + server-side user/workspace checks	Not required (beta)	Accepted for beta
Delete product	Clerk session + ownership check + explicit UI confirmation	Not required (beta)	Accepted for beta
Update LLM key settings	Clerk session + authenticated account endpoint	Not required (beta)	Accepted for beta
Start paid checkout	Clerk session + workspace membership check + Paddle checkout token	Not required (beta)	Accepted for beta

Account compromise recovery

1. Immediately sign out all sessions in Clerk account security settings.
2. Revoke GitHub authorization for Release Trace and sign in again via GitHub.
3. Rotate any API keys stored in account settings (LLM) and deploy env (Paddle, Resend, GitHub App keys if applicable).
4. Review recent release runs and product changes to detect unauthorized actions.
5. If suspicious activity remains, freeze usage and rotate credentials before reopening access.