Third-Party Service Control
Status: internal dashboard and registry v0.1
Use this page when adding, rotating, removing, or reviewing third-party services.
Private Dashboard
- Open the private service dashboard
- Private Cloudflare Pages guard
- Private GitHub Pages guard
- Service registry source
- Architecture rule
The dashboard shows secret names and control points only. It must not contain secret values.
The dashboard must not be published through normal public GitHub Pages or the public Cloudflare Pages build. Use the dedicated private Cloudflare Pages workflow only after Cloudflare Access protects the whole dashboard host and the project pages.dev host. Public builds intentionally show a locked placeholder and exclude the private service registry.
Update Rule
Update the service registry in the same PR when a change adds, renames, rotates, moves, or removes:
- third-party API access
- provider accounts or projects
- webhooks
- GitHub Actions secrets
- provider runtime secrets
- tenant-specific API accounts
- service accounts
- dashboard links
- credential owners or rotation rules
- public-source access that changes to API, OAuth, browser-session, or posting access
Human-facing local deploy links must use the approved Tailscale HTTPS origin instead of localhost, 127.0.0.1, or ::1. If the dashboard is hosted beyond a Tailscale-only local preview, protect it with Cloudflare Access, GitHub-authenticated private hosting, or an equivalent identity-aware access layer.
Tenant Provider Account Rule
Use one registry entry, or tenant-scoped credential references, for each provider account boundary that can publish, message, bill, store private data, or write to a tenant destination.
Before enabling a tenant-specific provider account, record:
- tenant and product scope
- owner and approval path
- storage tier and secret names only
- dashboard and docs links
- read/write scope
- rotation and revocation triggers
Public source adapters stay credential-free unless a new registry entry explicitly approves API, OAuth, browser-session, or posting access.
Validation
Run this before opening a PR that touches third-party services:
node scripts/ops/validate-third-party-services.mjs