Engineering Transparency

How this site is built, tested, and secured — stated in numbers you can verify in the source, not marketing claims. Every figure below traces to a file, a test run, or a CI workflow in the repository, and the open gaps are listed alongside the wins.

Verified at a glance

Each number here is countable in the repository today — not a target, not a projection.

524
test cases across 51 files (221 suites)
≥50%
enforced coverage floor — lines, functions, statements (branches ≥44%)
8
Architecture Decision Records (0001–0008)
12
compliance frameworks mapped, with OSCAL output
4
CI/CD workflows — test, SAST, DAST, release + SBOM
0
script-src 'unsafe-inline' allowances (per-request nonce)

How the code is verified

The server and the client modules are tested with Vitest (ADR-0004): 524 test cases across 51 test files and 221 describe suites covering authentication, the zero-trust scorer, ownership enforcement, MFA, the compliance engine, and the environment-config boundary.

Coverage is a gate, not a report. Thresholds are declared in vite.config.js (test.coverage.thresholds) at ≥44% branches and ≥50% lines, functions, and statements; a run below the floor fails the build, so the number can't quietly rot. These are deliberately a floor — modest, honest, and ratcheted upward as suites grow, not a high-coverage trophy. The exact point-in-time percentage is produced by the CI run rather than hard-coded on this page, so nothing here can go stale.

Security posture

Every control below is in the running code — follow the link to the middleware or the decision record that documents it.

  • Zero-Trust request scoring. A per-request 0–100 trust score (identity, MFA, device, IP, anomaly, time) gates five graduated route policies (public → CUI). Production always enforces. ADR-0006 · zeroTrust.js
  • Per-request CSP nonce. Helmet sets a Content-Security-Policy whose script-src carries a fresh nonce on every response — no 'unsafe-inline' for scripts. serveHtml() injects the nonce into inline blocks at send time. ADR-0003
  • JWT with refresh-token rotation. Short-lived access tokens; refresh tokens rotate on use to limit replay. ADR-0002
  • TOTP multi-factor auth (AAL2). RFC 6238 TOTP with two-phase enrollment, feeding the zero-trust score. Aligns with NIST SP 800-63B. ADR-0007
  • Ownership guard (anti-BOLA/IDOR). A composable middleware enforces per-record ownership with parameterized queries and fails closed on a schema gap. Closes OWASP API1:2023. ADR-0008
  • Defense in depth. Rate limiting on /api, signed CSRF tokens, Helmet security headers (HSTS), AES-256 encryption at rest, and a 1 MB request-body cap.

Honest trade-off: the CSP style-src still permits 'unsafe-inline' for inline styles (CSP nonces can't cover inline style attributes, and injected CSS can't execute code). The script-src path — where code execution actually lives — is fully nonce-locked.

CI/CD & supply chain

Four GitHub Actions workflows run on the repository:

Workflow What it does
ci.yml Lint, run the Vitest suite, and enforce the coverage thresholds
codeql.yml CodeQL static analysis (SAST)
dast.yml OWASP ZAP dynamic scan (DAST)
release.yml Release packaging with a software bill of materials (SBOM)

See Documentation and the repository's docs/DEPLOYMENT.md for the full build, environment, and rollback procedure.

Architecture Decision Records

The why behind the architecture is written down. Eight ADRs are committed under docs/adr/:

  1. ADR-0001 — SQLite via SQL.js as the embedded data store
  2. ADR-0002 — JWT refresh-token rotation
  3. ADR-0003 — Helmet CSP & security headers
  4. ADR-0004 — Vitest as the test framework
  5. ADR-0005 — Multi-framework compliance engine
  6. ADR-0006 — Zero-Trust request scoring & policy enforcement
  7. ADR-0007 — TOTP-based multi-factor authentication
  8. ADR-0008 — Ownership guard for horizontal access control

Compliance mapping

The same codebase is mapped against 12 frameworks — CMMC, DORA, GDPR, HIPAA, ISO 27001, ISO 42001, NIS2, NIST SP 800-171r3, NIST SP 800-53, NIST AI RMF, PCI DSS, and SOC 2 — with machine-readable OSCAL output. Explore the control-by-control evidence in the Compliance Knowledge Base.

What's not done yet

Transparency means listing the gaps, not just the wins. These are known and tracked:

  • Coverage floors are modest. The enforced gate (≥44% branches / ≥50% otherwise) is a starting line, not a high-coverage claim — current coverage sits in the low 50s (mid-40s for branches) and is raised as the suites grow.
  • No SBOM committed in-tree. The software bill of materials is generated by the release.yml workflow at release time rather than stored as a static file in the repository.
  • Inline-style CSP trade-off. style-src still allows 'unsafe-inline' (documented above); only the script path is nonce-locked.
  • Single-node zero-trust state. Session trust history lives in process memory — correct for the current single-instance deployment, with Redis as the documented scale path (ADR-0006).

Last reviewed: June 4, 2026.