SlothCV

Every paid CV builder leaks your data behind a watermark, then charges $30/month for the privilege. SlothCV inverts the gravity. The PDF renders entirely in your browser via @react-pdf/renderer (no server can read it). Provider separation between Google and magic-link is enforced by a Postgres BEFORE-INSERT trigger on auth.identities, not a frontend check an attacker can step around. A cross-user isolation test in CI proves row-level security actually holds before every deploy.

A free CV builder with no upsell, no watermark, and no export wall — built around the trust gap most paid CV tools leave open. Sign in with magic-link or Google. Provider separation is enforced via a Postgres BEFORE-INSERT trigger on auth.identities, not just a frontend check, so an account can't silently auto-link to the wrong provider. Pick a template — a Scratch blank canvas or one of seven genre defaults (dev, designer, editor, staff engineer, lawyer, creative director, postdoc) — and edit a structured form with a live preview at the side. Every CV section the real world has is supported: personal, summary, experience, education, skills with bars, languages, projects, certifications, awards, publications, volunteer, talks, hobbies, references, custom. Drag-to-reorder via dnd-kit, visibility toggles per row, per-section design overrides. The design tab carries 16 accent presets plus a hex picker, 15 fonts (Inter, Source Sans, Playfair, JetBrains Mono and friends), font-scale and line-spacing sliders, four layouts (single / two-col / sidebar-left / sidebar-right), photo on/off in four shapes, and three page sizes (A4 / Letter / Legal). PDF export runs entirely client-side through @react-pdf/renderer — vector text, embedded fonts, ATS-readable, javascript: and data: URL schemes stripped at the boundary. Auto-save debounces to 1 second and flushes on beforeunload. Each account caps at 10 CVs so the free tier stays free even at 5,000 maxed users. The architecture diagram below traces the four moving parts — sign-in, editor, EU-hosted Postgres with row-level security, and client-side PDF — and the trust diagram pulls out the three guarantees most paid CV tools quietly skip: provider separation enforced by a Postgres trigger, RLS verified by a cross-user isolation test in CI, and a PDF that never leaves your browser. I built it because every other CV builder is a paywall in a tuxedo.

• Provider separation enforced by a Postgres BEFORE-INSERT trigger on auth.identities — not just a frontend check
• Row-level security on every table + cross-user isolation test in CI verifying it actually holds
• Vector PDF rendered entirely in the browser via @react-pdf/renderer — server never sees the rendered file
• Magic-link or Google OAuth, with email_status RPC + Turnstile + rate limit at the boundary
• Scratch blank canvas + 7 genre templates, drag-to-reorder, per-section design overrides
• Auto-save debounced to 1 s with status pill (idle / dirty / saving / saved / error), flushed on beforeunload
• 10-CV per-account cap so the free tier stays free even at 5,000 maxed users
• javascript: and data: URL schemes stripped at the boundary — no XSS via exported PDF links