Security
Every operational row carries a tenant_id. Access is enforced in both route code and Supabase row-level security, so one shop can never read or write another shop's orders, jobs, or accounting data.
Quotes and checkout totals are always recomputed server-side from your catalog data. A client-submitted price is never trusted.
QuickBooks access and refresh tokens are AES-256-GCM encrypted at rest. No API ever returns a raw token, client secret, or encryption key to the browser.
Storefront and bridge-agent integrations authenticate with scoped, hashed API keys. Agent keys can only act on their own tenant's jobs; admin operations require an admin key.
Stripe remains the payment processor and system of record for money movement. MIS and QuickBooks are downstream records, never payment collectors.