FAQ

If a question comes up more than twice on Slack, add it here.

Getting started

I’m new — where do I start?

New-hire onboarding. Read it top to bottom on day one. Every checkbox is mandatory for your first week.

Why Google Workspace and not Microsoft / Zoom / …?

Consolidation. One SSO, one directory, one DPA to negotiate with customers. Changing this would cost more than it saves.

Do I really need FIDO2 security keys?

For GitHub org admin, yes. For everyone else — strongly recommended. The cost of a phished employee account is much higher than two YubiKeys.

Can I use my personal laptop?

No. Corporate-managed laptop only. Contact @jens if yours isn’t ready.

Engineering

What’s the shortest path from clone to running server?

git clone git@github.com:tappass/tappass
cd tappass
cp .env.example .env
docker compose up -d postgres
uv venv && source .venv/bin/activate
uv pip install -e '.[dev]'
alembic upgrade head
make dev

Full instructions in Local setup.

Tests are failing on a fresh clone. What do I check first?

1. Postgres running? docker compose ps
2. On Python 3.12? python --version
3. On Node 22? node --version
4. uv pip install -e '.[dev]' actually ran?
5. Alembic up to date? alembic current

If all good and tests still fail, check #eng. Include the failing test name and the last 20 lines of output.

Can I use mocks in my tests?

For external HTTP, yes — use httpx.MockTransport, not unittest.mock. For the database, no. See Testing philosophy.

Can I push to main?

No. Even @jens goes through PR. Squash-and-merge only.

My PR is sitting with no review — what do I do?

Ping the listed CODEOWNERS on Slack once, with the PR link and a one-line “what’s this about”. After 1 business day and still no response, escalate to @jens. Don’t wait in silence.

Why don’t we use React Query / Zustand / Redux / Next.js / MUI?

See Frontend architecture → Things we deliberately do NOT use. The question comes up every time someone joins from a bigger team. It’s an opinionated choice — push back if you think we’re wrong, but come with a specific problem, not a preference.

Can I add a new dependency?

Yes, if:

1. It solves a real problem, not a stylistic one.
2. It’s maintained (< 1 year since last release).
3. It doesn’t bring a chain of transitive deps that duplicate something we already have.
4. The PR description explains why.

Ask first for anything over 500 KB installed size or anything that runs at import time.

How do I test against a real LLM provider without burning budget?

Use the cheapest model of the provider family for tests (gpt-4o-mini, claude-3-5-haiku, etc.). Contract tests are nightly and rate-limited.

For most tests, use httpx.MockTransport with a recorded response. tests/fixtures/openai_responses/ has a library.

How do I add a new pipeline step?

See Pipeline step anatomy. In short: file under src/tappass/pipeline/steps/, register in registry.py, add to config/policies/default.yaml, write unit + integration tests.

How do I add a new provider?

A provider adapter is a file under src/tappass/gateway/<name>.py implementing the provider protocol. Add a config entry, a test against recorded responses, and an integration doc in tappass/docs (public). If the provider isn’t OpenAI-compatible, you’re also writing a request/response translator.

Budget 2–3 days for a common REST API.

Operations

Who pays for what?

• Cloud costs (GCP, Cloudflare, SaaS): company card, managed by @jens
• Employee SaaS (personal Cursor license, etc.): reimbursable up to €… / month with approval
• Travel: expense it, approved in advance over €500

Can I deploy right now?

Staging: always — push to main.

Prod: only if (a) you’re on-call or (b) the person on-call is paged in. Production deploys outside this rule are how outages happen.

How do I roll back?

Cloud Run revisions → previous revision → 100% traffic. See Release process → Rollback.

For DB state: you don’t roll back, you roll forward. Write a corrective migration. See Database → Migrations.

I got paged but I’m not on-call. What do I do?

Check PagerDuty — if you really did get paged, the rotation is wrong. If it’s a friendly ping about an issue, triage it if you can, otherwise route to primary on-call.

Security

I think I leaked a secret. What now?

1. Revoke it immediately in the source (AWS console, GitHub token page, wherever).
2. Rotate the replacement — see Rotate API keys.
3. Scan for commits: git log -p --all | grep -i '<first 8 chars>'.
4. If it was committed and pushed, say so on Slack in #eng — even if you’ve already revoked. Others may need to act.
5. Write a short incident note (blameless; we all do this eventually).

Can I share a secret on Slack?

No. Use 1Password’s “Share Item” feature — generates a 7-day, single-view URL.

Can I paste a real customer tp_ key into a local .env for debugging?

No. Use a dev key. If you need to debug against real customer state, connect to the read replica and query by tenant_id instead of reproducing the auth flow.

Someone outside the company asked about our detection models — can I share details?

Share what’s on the public docs (docs.tappass.ai) or trust.tappass.ai. For anything beyond that, route to @jens.

I spotted a vulnerability. Who do I tell?

@jens directly. Don’t open a public issue. Don’t post in #eng with details — short mention (“I spotted something, DMing @jens”) is fine.

Commercial

What’s our pricing?

Public-facing is at tappass.ai/pricing. Internal floor + discount policy is in Pricing & plans — confidential.

Can I tell a prospect about our roadmap?

Share published items only (blog posts, public docs). For anything unreleased, route to @jens or deal owner — we’re careful not to pre-sell features.

A customer asked for a feature we don’t have. How do I handle it?

1. Log it in Linear as a <Customer> requested: issue with the feature description and their use case.
2. If it’s in our near-term roadmap: tell them the rough timeline, no commitment.
3. If it’s not: acknowledge, don’t promise. Route to @jens for a judgement call on whether to prioritise.

A customer wants to leave. What do I do?

Immediately: @jens + deal owner, in-channel. See Escalate customer issue.

Meta

Where do I edit this FAQ?

src/content/docs/faq.md in tappass/docs-internal. PR, review, merge — deploys automatically.

This answer is wrong / out of date. What do I do?

Fix it in a PR. Don’t wait for permission. You’re reading this because someone before you did.

The site is broken.

Ping #eng. Most likely a build issue; the fix is usually a typo in frontmatter or a missing sidebar entry.