Straight answers
for your security review.

Each project gets its own Coolify application (own Docker container, own RAM/vCPU/storage from your subscription tier). Each ProjectGroup gets its own Coolify Project + production-environment UUID, so cross-group network access isn't possible. Sibling services inside the same group share a Docker network on purpose so they can talk to each other; nothing crosses tenant boundaries.

Yes. Builds run in Coolify-managed Docker build containers. Every redeploy is sent with force=true, which skips Docker layer cache and re-resolves git HEAD, so you always get a clean build off the current commit. Test/preview deploys auto-cleanup after 180 minutes (Coolify app stopped + row deleted); failed prod deploys are pruned after 90 days.

Repo analysis sends file paths (the GitHub tree) plus a capped white-list of manifests: package.json, *.csproj, requirements.txt, pyproject.toml, go.mod, etc. Max 25 files, longer ones truncated to 250 lines. That's it. Rescue sends the build-log tail (last 200 lines / 8 KB cap), runtime-log tail when the container is in a crash-loop, and deploy metadata. Env var values, source code beyond the manifest white-list, and any secrets are never sent. The provider is OpenRouter routing to Claude Haiku 4.5.

AES-256-GCM with a per-value random 12-byte nonce. Keys are versioned; a background rotation worker re-encrypts old rows in batches so retired keys can be removed safely. Every reveal/edit writes an audit row (actor hash, action, timestamp). At deploy-time, values are synced to Coolify per-key over authenticated HTTPS and the app is restarted; the row stays encrypted at rest in our DB.

Build and runtime logs live in Coolify, not in our DB — we pull them on demand for the dashboard viewer. Deleting a project deletes its Coolify app, which deletes the logs. Right now there's no one-click "download full archive" — export is copy from the viewer. Audit logs (auth events + env-var changes) have an explicit retention worker that exports to CSV before deleting, default 24 months.

Free tier = 256 MB RAM / 0.5 vCPU / 4 GB storage / 3-month trial. On trial expiry the Coolify app is stopped, status flips to suspended, an email goes out — no data wipe. Runtime OOM and crash-loop (3+ restarts) surface a recommendation card for a tier upgrade; it's never auto-applied.

Fully supported. Dockerfile is one of four build packs (Nixpacks, Dockerfile, Static, docker-compose). Coolify uses your Dockerfile as-is, no rewrites. Constraints come from the subscription tier (RAM / CPU / storage), not from the Dockerfile itself.