Developer Notes

There are no user accounts, no logins, no email collection, and no auth tokens. Each visitor is identified only by a random session token stored in their browser's localStorage. The token is opaque and not linked to any identity.

Guest sessions exist for up to 24 hours. File jobs expire within 2 hours. Result download links are signed URLs with a 30-minute lifetime. Nothing is retained beyond its expiry window.

Files under 30MB are processed locally in the user's browser when possible — they never reach the server. Files above 30MB are routed through a temporary cloud worker and require a one-time €1.00 guest payment.

Premium processing uses Stripe Checkout in one-time payment mode. No customer object is created, no subscription is opened. Metadata on the payment intent only includes the opaque session token, file job id, and tool key.

Two private storage buckets isolate input and output: temporary-uploads for inbound files and temporary-results for processed artifacts. Both are accessible only through signed URLs created server-side.

A scheduled worker scans for expired file jobs, removes their files from both buckets, and marks the rows as expired. An audit event is written for every cleanup run. No file content is ever included in audit metadata.

Each tool currently runs against a simulated processor. The architecture is designed so individual edge functions can be swapped for real engines (Ghostscript, Tesseract, ExifTool, libvips) without touching the public frontend contract.