Transparantiehub

Readable Recovery Codes Without Weakening Account Recovery

Published: 2026-06-21 · ~7 min read

This article explains PayCal's June 2026 account recovery redesign: shorter human-readable Recovery Codes, email Verification Codes, checksum typo detection, rate limits, and passkey replacement boundaries.

• Recovery Codes use 12 secret characters from a 28-character accessibility alphabet plus 2 checksum characters
• The email Verification Code is short-lived, single-use, attempt-limited, and expires after 10 minutes
• Protected recovery still requires both inbox access and the saved account secret

Status van beveiligingsaudit

Published: 2026-03-23 · ~4 min read

Deze pagina publiceert de huidige auditstatus, de gesloten reikwijdte, bewijsreferenties en release-blocker-verplichtingen die de beveiligingsstatus behouden.

• De huidige cyclusstatus wordt gepubliceerd met verificatiedatum en beoordelingscadans.
• De dekking van de werkstroom omvat controles over de runtime-levenscyclus, telemetrie-isolatie, correlatiebeheer en versterking van geprivilegieerde rollen.
• Validatiemomentopname omvat Playwright, JS, PHPStan Level 9 en backend-testresultaten.

Verificatie en bestuur

Published: 2026-03-20 · ~3 min read

This page documents how PayCal enforces policy through tests, hooks, runtime limits, and security controls.

• Pre-commit and pre-push hooks enforce PHPStan Level 9 and reject baseline bypasses.
• CI runs staged validation across unit, integration, contract, random-order, and coverage jobs.
• Runtime controls apply rate limits, TTL windows, and abuse-response blocks for sensitive flows.

SOC 2 Compliance at PayCal

Published: 2026-04-15 · Last updated 2026-06-24 · ~5 min read

PayCal maintains a SOC 2 aligned control environment using deterministic evidence generation, approval-linked change governance, runtime verification, and reproducible audit artifacts. Quarterly snapshots publish immutable period findings.

• Control coverage focused on Security (CC1-CC9)
• Q2 2026 snapshot: 2,434 tests, evidence-freshness review, per-control lifecycle status
• Report access handled through NDA request workflow

Lees verder  ·  Q2 2026 snapshot

Auth, Passkey & Redis Hardening -- May 2026

Published: 2026-05-12 · ~6 min read

An internal audit on May 12, 2026 found eleven security issues in our own authentication, passkey, and Redis infrastructure code. We are publishing every finding, its impact, and exactly what we changed.

• 3 high-severity: non-atomic Redis writes, logout/CSRF silent failures, WebAuthn UV bypass
• 5 medium-severity: clone detection boundary error, sign count, revoked passkey re-registration, account enumeration, recovery key ordering
• 3 low-severity: dead code, disabled-path input collection, info disclosure in 403 body

Passkey KEK Derivation: deriveBits vs deriveKey

Published: 2026-05-18 · ~5 min read

PayCal's passkey login derives a key encryption key (KEK) inside a Web Worker. This article explains why we switched from deriveKey() to deriveBits() + importKey() to avoid a known hang path in Safari / WebKit, and proves the two paths are cryptographically identical.

• HKDF-SHA-256 algorithm, parameters, and 256-bit AES-GCM output are unchanged
• Parity test tests/crypto/hkdf-equivalence.mjs verifies both paths decrypt each other's ciphertext
• No user action, re-enrollment, or credential rotation required

Platformstatistieken en privacy

Published: 2026-03-09 · ~3 min read

Op de pagina met metrische gegevens wordt operationele telemetrie uitgelegd die is verzameld voor betrouwbaarheid en capaciteitsplanning.

• Telemetriesleutels en voorbeelden worden gepubliceerd, zodat claims verifieerbaar zijn.
• Het bereik van de verzameling is uitsluitend aggregeerbaar, met harde limieten en zonder persoonlijke identificatiegegevens in sleutels.
• Retentie volgt een gedefinieerde levenscyclus: onbewerkte gegevens, rollups en automatisch opschonen.

Error Handling & Message Normalization

Published: 2026-04-03 · ~3 min read

PayCal standardizes error messaging across all frontend modules to ensure users receive clear, meaningful feedback while protecting system security and preventing sensitive information leakage.

• Normalized error resolution across 11 frontend modules (~40+ catch handlers)
• Consistent message extraction, cleaning, and safe fallback patterns
• Security-first design prevents database details, file paths, and auth info exposure

Opt-in Diagnostics & Phantom Wing

Published: 2026-04-05 · ~3 min read

PayCal ships a built-in diagnostics layer called Phantom Wing. All three debug controls default to Off and are entirely user-controlled from the Settings page.

• Console Messages, Detailed Diagnostics, and Network Insights -- all off by default
• Telemetry sends only anonymized hourly event counts -- zero personal data
• All values are redacted before storage or transmission regardless of settings

Netwerkmogelijkheden

Published: 2026-03-29 · ~3 min read

In dit artikel worden transportprotocollen en respons-header-besturingselementen gepubliceerd die worden gebruikt om browser- en netwerkgedrag te beveiligen.

• Documents HTTPS enforcement, HSTS preload, and HTTP/3 (QUIC) advertisement.
• Lists the current security header baseline including CSP, COOP, COEP, CORP, and browser hardening headers.
• Explains protocol negotiation and fallback behavior across modern clients.

CI/CD Tooling and Release Governance

Published: 2026-06-22 · ~5 min read

This article explains PayCal's local-first CI/CD model and how verification evidence flows from hooks to public promotion and production deployment receipts.

• Documents pre-commit and pre-push gates across sensitive-file scanning, README checks, PHPStan, AST metrics, and quick tests.
• Explains public-health checks before public repository promotion.
• Maps production release ledgers, desired state, deployment receipts, and runtime proof.

Remediatierapport juni 2026

Published: 2026-06-19 · ~6 min read

Volledig remediatiedossier voor beschermde data, routes en methoden, Redis, crypto/plaintext, loonperioden, beveiliging en instellingen.

• Documenteert de DST-bug in loonperioden en de tests voor periodenavigatie
• Somt verwijderde aliassen, paden, redirects, methode-wrappers, placeholderklassen en Redis-compatibiliteit op
• Legt uit welke compatibiliteit bewust bewaakt blijft voor echte gebruikersdata

Release Integrity and SHA Health

Published: 2026-06-16 · ~4 min read

PayCal Technologies records approved release SHAs, desired state, deployment receipts, and runtime proof so production can be compared against the exact code that was approved.

• Production follows promotion records, not the newest branch automatically
• Release, desired, deployed, and runtime SHAs must agree
• Public status is redacted while internal receipts remain private

Test- en validatiebeheer

Published: 2026-03-24 · ~4 min read

This article documents how we run backend, frontend, and accessibility validation and which gates are treated as release blockers.

• Shows the active PHPUnit suite inventory and category split.
• Documents release-blocking validation commands used in /mis sweeps.
• Explains how test evidence is synchronized into changelogs and source-of-truth notes.

Afhankelijkheid en CI/CD-governance

Published: 2026-03-31 · ~3 min read

This article publishes how npm dependencies are controlled and how CI gates are enforced before release.

• Documents lockfile-first npm policy and npm ci automation requirements.
• Maps JavaScript quality gates and backend pipeline stages to workflow controls.
• Lists known documentation limitations and planned governance improvements.

Inkomstenbelasting testen

Published: 2026-03-29 · ~3 min read

This article publishes reproducible A/B benchmark results for eager rendering versus lazy section loading on /earnings/.

• Includes a 10-run matrix for real and synthetic 2025/2026 datasets.
• Reports DOMContentLoaded, section-ready timing, and API-call trade-offs.
• Documents test method and interpretation for public review.

PHP Package Dependency Transparency

Published: 2026-05-07 · ~3 min read

This article documents every PHP package PayCal directly depends on, how CVEs are evaluated, and the principle that drives dependency decisions.

• Documents all runtime and dev-time PHP packages with active-usage justification for each.
• Explains the decision to replace vlucas/phpdotenv with a first-party implementation.
• Covers the 2026-05 CVE audit outcome and our broader dependency philosophy.

Framework en backend-wijzigingsgrootboek

Published: 2026-03-24 · ~3 min read

This page tracks backend architecture and framework-level changes with public explanations of what changed and why.

• Summarizes service/controller changes that materially affect behavior.
• Maps release changes to security and governance controls.
• Includes references to detailed changelog and audit artifacts.

How We Made the Business Members Page ~100x Faster

Published: 2026-06-09 · ~5 min read

The Business Members page was taking ~1.8 seconds of server time per load. We traced it to an N+1 query pattern and full recomputation on every view, fixed both, and the page now serves from cache in single-digit milliseconds.

• Redis pipelining batches hundreds of sequential round-trips into single round-trips
• A materialized cache stores the finished grid with a 5-minute expiry and eager invalidation
• Cache hits are ~100x+ faster; cache misses are still faster than the old page

Faster Passkey Sign-In Early Access

Published: 2026-06-23 · ~4 min read

PayCal's Early Access passkey shortcut lets an opted-in browser show available passkeys when a user selects Sign in, without requiring an email address first.

• Browser-scoped opt-in with a signed activation cookie.
• Uses Chrome Immediate UI when available, then falls back normally.
• Same server-side WebAuthn verification before any session is created.

Toegankelijkheid en WCAG-naleving

Published: 2026-03-20 · ~4 min read

We use WCAG 2.1 Level AA as our working accessibility standard and publish recent accessibility work in plain language.

• Core navigation supports keyboard use, skip links, and documented single-key shortcuts for primary destinations.
• Shortcut handling is safety-guarded and does not fire while typing in editable fields or when dialogs are open.
• Recent regression coverage checks headings, reflow/text spacing, navigation paths, and the accessibility feedback handoff.
• Strict route-level contrast blockers on core public pages have been remediated, while broader theme-wide contrast work continues.
• Users can start an accessibility report from the accessibility page and continue it through the secure contact flow.
• The accessibility transparency page now publishes last-verified date, verification scope, known limitations, and next review due date.

Lees onze toegankelijkheidsstandaard, recent werk en feedbackpad

E-mailarchitectuur

Published: 2026-03-21 · ~3 min read

The email page explains which transactional emails PayCal sends, how templates are rendered, and how delivery reliability is verified.

• Flow-specific template families are documented across verification, recovery, change-email, and contact support paths.
• Delivery responsibilities are separated between EmailGarum orchestration and EmailTransport SMTP protocol handling.
• Opt-in live tests for template sweeps and DKIM/DMARC health verification are documented.

Belastingmethodologie

Published: 2026-03-09 · ~3 min read

The tax page documents our CRA-aligned formulas, thresholds, and examples used for estimates.

• CPP, OAS, EI, federal/provincial tax, and net-pay formulas are documented with worked examples.
• Current tax-year thresholds and rates are published and tied to CRA references.
• Calculation quality is validated with an automated test suite and annual rate updates.

Lees verder

Superhelden systeemkaart

Published: 2026-04-02 · ~2 min read

The Superheroes page documents PayCal's themed cross-cutting components and the specific operational problem each one solves.

• Includes ShadowTalon, Guardian, Phantom Wing, Lens, EmailGarum, Echo, and GoldMaster.
• Explains where each component is used and what risk boundary it protects.
• Provides verification anchors so implementation claims can be inspected directly in code and tests.

GoldMaster

Published: 2026-06-21 · ~3 min read

GoldMaster documents PayCal canonical examples: curated references for code, UI, tests, and architecture that future work should consult before building similar features.

• Golden masters are reference artifacts, not production code.
• The first active example defines PayCal dialog structure, action order, focus behavior, and confirmation patterns.
• The internal editor is admin/dev-only and read-only in the first pass.

Extensions Paradigm

Published: 2026-04-03 · ~3 min read

This article explains how PayCal Core remains stable while extension packages provide configurable behavior for different deployment models.

• Clarifies the separation between PayCal Core and in-repo basic extensions.
• Documents how third parties can build custom extensions from this repository.
• Explains how canonical paycal.app uses private extension variants to differentiate the platform.

Organization Membership and Role Philosophy

Published: 2026-04-09 · ~4 min read

This article explains the Organization <-> Member model, role policy changes, and the capability/scope philosophy used to keep collaboration permissions auditable.

• Documents relationship lifecycle semantics for invites, access requests, approval, and revocation
• Publishes current role posture (owner, manager, contributor, member, viewer)
• Clarifies the principle of backend policy as source of truth with UI as projection only

Productervaring en factureringswijzigingen

Published: 2026-03-24 · ~3 min read

Major account, billing, and profile-flow updates are explained alongside backend and testing governance so users can audit both UX and behavior changes.

• Tracks billing-state handling and subscription status contract changes.
• Captures destructive-action safeguards such as explicit account deletion confirmation phrases.
• Links product-facing updates to verification and release governance evidence.