Security Policy
- Read-only gateway: The frontend performs only
GETrequests to/api/reports/*; noPOST,PUT, orDELETEmethods are exposed. - Minimal exposure: Whitelisted endpoints —
/api/healthz,/api/reports/summary.json,/api/reports/alignment_audit.json,/api/reports/freeze_hash.json. - Protection layers: HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy / X-Content-Type-Options / CORP.
- Signatures & idempotency (client-side): Uploads require cryptographic signatures and an
X-Idempotency-Key; short links are bound to fixed paths and methods. - Isolation: The presentation layer is physically isolated from the core engine; downloadable artifacts originate only from the frozen zone (FREEZE).
- No tracking: No third-party analytics or tracking scripts; only anonymous error-rate telemetry is collected.
- Vulnerability disclosure: Responsible disclosures are welcome — see the “Contact” section below.
We prioritize fixing vulnerabilities that may affect determinism or the integrity of the evidence chain.