Security Readiness Checklist

Security backbone

We treat safety like a product feature, not a marketing line. This page is a public ledger of what is live, what is paid-and-paused, and what is still scaffolded.

Hardening

Strict CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policyshipped
Edge middleware sets the headers on every response.
RLS on every public table (default deny)shipped
Each migration adds RLS + policies; no service-role calls from the browser.
Audit log of sensitive actionsshipped
Posts, reports, payouts, automations, miniapp SDK calls and grants are recorded in app_audit_log.
Crisis pipeline (panic button + keyword hint)shipped
Local resources + anonymous server-side log; surfaces help without storing PII.
Free moderation tier (OpenAI Moderation + nsfw.js scaffolded)shipped
Server route /api/moderation/check; image scan ready to enable when budget allows.
Web Push with VAPID keysshipped
Service worker handles push + notification clicks.

Paid scaffolds (activate at scale)

AWS Rekognition image moderationscaffolded
Drop-in env vars + worker — switch on when balance allows.
PhotoDNA / NCMEC reporting (CSAM)scaffolded
csam_report table + queue exist; reporting pipeline pending vendor approval.
ClamAV file scan on uploadscaffolded
Vault accepts uploads; scanning hook ships with paid tier.
Sentry error monitoringin progress
Shim in place — flip env var to start streaming.
Cloudflare Turnstile on auth + reportsscaffolded
Form fields ready, env-gated to enable.

Continuous testing

Penetration-test checklistin progress
OWASP ASVS L2 mapping in /security/pentest.
Bug bounty programshipped
Public scope + safe-harbour terms at /security/bug-bounty.
Disclosure inboxshipped
security@futureassistants.example — PGP key pinned on bug-bounty page.
Quarterly RLS auditscaffolded
Script under /scripts/audit-rls.ts (todo) compares Postgres policies to spec.

Hardening

Strict CSP, HSTS, X-Frame-Options, Referrer-Policy, Permissions-Policyshipped

Edge middleware sets the headers on every response.

RLS on every public table (default deny)shipped

Each migration adds RLS + policies; no service-role calls from the browser.

Audit log of sensitive actionsshipped

Posts, reports, payouts, automations, miniapp SDK calls and grants are recorded in app_audit_log.

Crisis pipeline (panic button + keyword hint)shipped

Local resources + anonymous server-side log; surfaces help without storing PII.

Free moderation tier (OpenAI Moderation + nsfw.js scaffolded)shipped

Server route /api/moderation/check; image scan ready to enable when budget allows.

Web Push with VAPID keysshipped

Service worker handles push + notification clicks.

Paid scaffolds (activate at scale)

AWS Rekognition image moderationscaffolded

Drop-in env vars + worker — switch on when balance allows.

PhotoDNA / NCMEC reporting (CSAM)scaffolded

csam_report table + queue exist; reporting pipeline pending vendor approval.

ClamAV file scan on uploadscaffolded

Vault accepts uploads; scanning hook ships with paid tier.

Sentry error monitoringin progress

Shim in place — flip env var to start streaming.

Cloudflare Turnstile on auth + reportsscaffolded

Form fields ready, env-gated to enable.

Continuous testing

Penetration-test checklistin progress

OWASP ASVS L2 mapping in /security/pentest.

Bug bounty programshipped

Public scope + safe-harbour terms at /security/bug-bounty.

Disclosure inboxshipped

security@futureassistants.example — PGP key pinned on bug-bounty page.

Quarterly RLS auditscaffolded

Script under /scripts/audit-rls.ts (todo) compares Postgres policies to spec.