Concepts

How SparkLabX is put together, and the trust boundaries you should know about.

Architecture

Go backend, React/Vite frontend, per-user Spark kernel pods on Kubernetes. MinIO for S3-compatible storage with IAM-enforced per-user prefix isolation. Postgres for metadata.

SparkLabX architecture diagram — frontend, backend, per-user kernel pods, MinIO IAM storage, Postgres metadata

Security model

  • JWT-based session — backend issues short-lived JWTs (default 8 h) signed with JWT_SECRET_KEY
  • OAuth verification — Google ID tokens verified server-side; Microsoft via tenant + client ID
  • MinIO IAM policies — per-user prefix enforcement at storage layer, not app code
  • Kubernetes RBAC — backend ServiceAccount limited to creating/deleting kernel pods in its namespace
  • CORS — production warning logged if CORS_ORIGINS=*; recommended explicit allow-list
  • Govulncheck — wired into CI as of v0.1.3, zero stdlib CVEs