PayCal Technologies Inc.

State of the Platform: PayCal Version 1.049.000

· PayCal Team

Overview

Version 1.049.000 is a major architectural milestone for PayCal. This release brings together months of systematic work across accessibility, privacy, security, and professional tooling — delivered as a coherent, production-ready platform.

  • Deny-safe environment — the application's default posture is now secure and accessible simultaneously.
  • 945 mathematically verified files across the codebase.

Accessibility Baseline

PayCal v1.049.000 achieves a full WCAG Theme Contrast Matrix pass across all supported visual themes.

  • 68 themes verified end-to-end.
  • 2,040 checkpoints evaluated.
  • 4.75:1 minimum contrast ratio across all theme / text size combinations.
  • Standout themes: Matrix 15.56:1, Akira 14.02:1.

The contrast matrix runs as part of the CI gate; no theme can ship unless it passes every checkpoint. This makes the accessibility guarantee continuous, not point-in-time.

Privacy Sovereignty

PayCal treats data minimisation and user control as first-class engineering constraints. Three capabilities shipped in this release:

1. Passkey-Only Authentication (Workstream G)

PayCal's authentication system has been rebuilt around WebAuthn passkeys. Users can authenticate without a password. The cryptographic design:

  • WebAuthn + HKDF KEK — a Key Encryption Key is derived from the stable credential_id via HKDF, then used to wrap a per-user Data Encryption Key (DEK).
  • The DEK lives in JavaScript memory only and is cleared on logout — it is never persisted to disk or transmitted to the server.
  • The HKDF derivation uses the stable credential_id, not the non-deterministic ECDSA signature, ensuring the same KEK is produced on every login.

2. Automatic Data Clearing (Workstream D)

Sensitive data displayed in the UI is automatically removed from the DOM when the user switches away from the tab or navigates away from the page.

  • Tab hide trigger — the Page Visibility API fires a DOM sensitivity scrub.
  • Page-exit trigger — beforeunload / pagehide events clear rendered values.
  • No user action required; the clearing is unconditional for designated sensitive fields.

3. Privacy Guard Telemetry (Workstream B)

Telemetry events that support diagnostics and product improvement are collected with privacy-preserving properties:

  • Anonymised — no persistent user identifiers attached to event payloads.
  • Batched and jittered — events are queued and dispatched at randomised intervals, preventing timing-based correlation across sessions.

Professional Toolkit

AriaEcho Narration

A first-class screen-reader narration system that announces dynamic state changes — calendar navigation, work entry updates, and error conditions — without relying on brittle aria-live region polling.

Private Math

PayCal's tax engine runs entirely in the browser. Salary, deduction, and tax calculations are performed client-side. No salary data is transmitted to the server during calculation.

Exports with Export Identity Inversion

PDF, CSV, and plain-text exports are generated in the browser. Export Identity Inversion means the exported file contains no server-side identity markers — the export is owned by the user, not tagged by the application.

Safety Net Recovery

Orphaned work records — calendar entries that lost their parent context due to session expiry or interrupted saves — are automatically recovered and surfaced for user review rather than silently discarded.

Premium Tier

v1.049.000 ships the premium feature set as production-ready:

  • Organization Hub linking — users can associate their PayCal account with an organisation, enabling shared calendar visibility and delegated reporting.
  • Org role scope model — role assignments carry explicit permission scopes rather than implicit capabilities; role changes take effect at next session.
  • Delegated calendar visibility — organisation administrators can view team members' availability without accessing individual entries.
  • DEK Auto-Bootstrap — new accounts provisioned under an organisation context receive a DEK automatically, without requiring a separate key setup step.

What's Next

The platform's architectural foundation is now stable. Upcoming work focuses on:

  • Expanding integration test coverage for passkey and DEK flows.
  • Public transparency reporting on accessibility and privacy controls.
  • Additional export formats and narration improvements.

Secure. Accessible. Yours. This is PayCal.