Security engineering · evidence, not vibes

I attack my own release

I don't just write the tool. Every version goes through a compliance gauntlet I built, with pass/fail criteria and evidence artifacts, before it ships.

The compliance gauntlet

A deterministic security regression suite that runs against a specific source version and produces a verdict plus evidence. Stages are mapped to NIST SSDF, OWASP ASVS, and CIS Controls, with a per-version control-mapping document. Real results from the v464 release gate:

StageToolingResultFindings
SASTBandit + SemgrepPASS0 HIGH · 47 MEDIUM triaged · 48 LOW
Dependency audit (SCA)pip-audit / OSVPASS0 advisories across 8 pinned deps
Secret scanninggitleaks + custom Tenable-key patternsPASS0 leaks across the tree
License auditpip-licensesPASS26 packages, 0 denied, 0 unknown
SBOMCycloneDX 1.6PASS8 components, shipped with release
Data-at-rest probecustom (perms, plaintext secrets, integrity tags)PASS0 findings across 45 state files
Binary scan · reproducibility · signing verifypost-build stagesgated on binary buildrun at packaging time, not source gate

evidence: compliance/evidence/<version>/ · verdict file: GAUNTLET_SUMMARY.md · first run surfaced and fixed 3 issue classes before the PASS was declared — including SEC-001, a create-then-chmod race on the API credential file, fixed by creating it 0600 from the first syscall

Security architecture of the shipped product

Tamper evidence beyond hash chains

Hash-chained logs catch casual edits. For insider-grade tampering — an attacker who can rewrite the whole log and recompute every hash — I implemented the primitives that back Certificate Transparency and modern supply-chain attestation, and tested them against the specs' own vectors:

code: ticket_time_machine/transparency.py · provenance.py · 50+ dedicated tests · runbook: production/SIGN_RELEASE_LINUX_RUNBOOK.md

Vulnerability disclosure policy

The project ships with a real SECURITY.md: private reporting channel, acknowledgment within 3 business days, reproduction within 7, patch within 30 calendar days for HIGH/CRITICAL findings and 90 otherwise, reporter credit in release notes, and a stated threat model covering the API connection, credential storage, state files, audit log, and signing chain. Only the latest release line is patched; older lines are retained for forensic purposes and marked unsupported.