Transparency Hub

Readable Recovery Codes Without Weakening Account Recovery

Published: 2026-06-21 · ~7 min read

This article explains PayCal's June 2026 account recovery redesign: shorter human-readable Recovery Codes, email Verification Codes, checksum typo detection, rate limits, and passkey replacement boundaries.

• Recovery Codes use 12 secret characters from a 28-character accessibility alphabet plus 2 checksum characters
• The email Verification Code is short-lived, single-use, attempt-limited, and expires after 10 minutes
• Protected recovery still requires both inbox access and the saved account secret

Katayuan ng Pag-audit ng Seguridad

Published: 2026-03-23 · ~4 min read

Ang page na ito ay nagpa-publish ng kasalukuyang katayuan sa pag-audit, saklaw na sarado, mga sanggunian sa ebidensya, at mga pangako sa release-blocker na nagpapanatili ng postura ng seguridad.

• Na-publish ang kasalukuyang cycle status na may petsa ng pag-verify at ritmo ng pagsusuri.
• Kasama sa saklaw ng workstream ang mga kontrol sa runtime lifecycle, telemetry isolation, correlation governance, at privileged-role hardening.
• Kasama sa snapshot ng pagpapatunay ang Playwright, JS, PHPStan Level 9, at mga resulta ng pagsubok sa backend.

Pagpapatunay at Pamamahala

Published: 2026-03-20 · ~3 min read

This page documents how PayCal enforces policy through tests, hooks, runtime limits, and security controls.

• Pre-commit and pre-push hooks enforce PHPStan Level 9 and reject baseline bypasses.
• CI runs staged validation across unit, integration, contract, random-order, and coverage jobs.
• Runtime controls apply rate limits, TTL windows, and abuse-response blocks for sensitive flows.

SOC 2 Compliance at PayCal

Published: 2026-04-15 · Last updated 2026-06-24 · ~5 min read

PayCal maintains a SOC 2 aligned control environment using deterministic evidence generation, approval-linked change governance, runtime verification, and reproducible audit artifacts. Quarterly snapshots publish immutable period findings.

• Control coverage focused on Security (CC1-CC9)
• Q2 2026 snapshot: 2,434 tests, evidence-freshness review, per-control lifecycle status
• Report access handled through NDA request workflow

Magbasa pa  ·  Q2 2026 snapshot

Auth, Passkey & Redis Hardening -- May 2026

Published: 2026-05-12 · ~6 min read

An internal audit on May 12, 2026 found eleven security issues in our own authentication, passkey, and Redis infrastructure code. We are publishing every finding, its impact, and exactly what we changed.

• 3 high-severity: non-atomic Redis writes, logout/CSRF silent failures, WebAuthn UV bypass
• 5 medium-severity: clone detection boundary error, sign count, revoked passkey re-registration, account enumeration, recovery key ordering
• 3 low-severity: dead code, disabled-path input collection, info disclosure in 403 body

Passkey KEK Derivation: deriveBits vs deriveKey

Published: 2026-05-18 · ~5 min read

PayCal's passkey login derives a key encryption key (KEK) inside a Web Worker. This article explains why we switched from deriveKey() to deriveBits() + importKey() to avoid a known hang path in Safari / WebKit, and proves the two paths are cryptographically identical.

• HKDF-SHA-256 algorithm, parameters, and 256-bit AES-GCM output are unchanged
• Parity test tests/crypto/hkdf-equivalence.mjs verifies both paths decrypt each other's ciphertext
• No user action, re-enrollment, or credential rotation required

Mga Sukatan at Privacy ng Platform

Published: 2026-03-09 · ~3 min read

Ipinapaliwanag ng page ng sukatan ang operational telemetry na nakolekta para sa pagiging maaasahan at pagpaplano ng kapasidad.

• Ang mga telemetry key at mga halimbawa ay na-publish upang ang mga claim ay mabe-verify.
• Ang saklaw ng koleksyon ay pinagsama-sama-lamang na may matitigas na limitasyon at walang mga personal na pagkakakilanlan sa mga susi.
• Ang pagpapanatili ay sumusunod sa isang tinukoy na lifecycle: raw data, rollups, at awtomatikong pag-purge.

Error Handling & Message Normalization

Published: 2026-04-03 · ~3 min read

PayCal standardizes error messaging across all frontend modules to ensure users receive clear, meaningful feedback while protecting system security and preventing sensitive information leakage.

• Normalized error resolution across 11 frontend modules (~40+ catch handlers)
• Consistent message extraction, cleaning, and safe fallback patterns
• Security-first design prevents database details, file paths, and auth info exposure

Opt-in Diagnostics & Phantom Wing

Published: 2026-04-05 · ~3 min read

PayCal ships a built-in diagnostics layer called Phantom Wing. All three debug controls default to Off and are entirely user-controlled from the Settings page.

• Console Messages, Detailed Diagnostics, and Network Insights -- all off by default
• Telemetry sends only anonymized hourly event counts -- zero personal data
• All values are redacted before storage or transmission regardless of settings

Mga Kakayahang Network

Published: 2026-03-29 · ~3 min read

Ang artikulong ito ay nagpa-publish ng mga transport protocol at response-header na kontrol na ginagamit upang ma-secure ang pag-uugali ng browser at network.

• Documents HTTPS enforcement, HSTS preload, and HTTP/3 (QUIC) advertisement.
• Lists the current security header baseline including CSP, COOP, COEP, CORP, and browser hardening headers.
• Explains protocol negotiation and fallback behavior across modern clients.

CI/CD Tooling and Release Governance

Published: 2026-06-22 · ~5 min read

This article explains PayCal's local-first CI/CD model and how verification evidence flows from hooks to public promotion and production deployment receipts.

• Documents pre-commit and pre-push gates across sensitive-file scanning, README checks, PHPStan, AST metrics, and quick tests.
• Explains public-health checks before public repository promotion.
• Maps production release ledgers, desired state, deployment receipts, and runtime proof.

Ulat ng remediation noong Hunyo 2026

Published: 2026-06-19 · ~6 min read

Buong remediation record para sa protected data, route at method cleanup, Redis drift, crypto/plaintext readiness, pay-period DST, security findings, at settings controls.

• Dinodokumento ang pay-period DST bug at ang tests para sa earnings period navigation
• Inililista ang tinanggal na aliases, paths, redirects, method wrappers, placeholder classes, at Redis compatibility branches
• Ipinapaliwanag kung anong compatibility ang sadyang guarded para sa real user data

Release Integrity and SHA Health

Published: 2026-06-16 · ~4 min read

PayCal Technologies records approved release SHAs, desired state, deployment receipts, and runtime proof so production can be compared against the exact code that was approved.

• Production follows promotion records, not the newest branch automatically
• Release, desired, deployed, and runtime SHAs must agree
• Public status is redacted while internal receipts remain private

Pamamahala sa Pagsubok at Pagpapatunay

Published: 2026-03-24 · ~4 min read

This article documents how we run backend, frontend, and accessibility validation and which gates are treated as release blockers.

• Shows the active PHPUnit suite inventory and category split.
• Documents release-blocking validation commands used in /mis sweeps.
• Explains how test evidence is synchronized into changelogs and source-of-truth notes.

Dependency at CI/CD Governance

Published: 2026-03-31 · ~3 min read

This article publishes how npm dependencies are controlled and how CI gates are enforced before release.

• Documents lockfile-first npm policy and npm ci automation requirements.
• Maps JavaScript quality gates and backend pipeline stages to workflow controls.
• Lists known documentation limitations and planned governance improvements.

Pagsubok sa Pag-load ng Mga Kita

Published: 2026-03-29 · ~3 min read

This article publishes reproducible A/B benchmark results for eager rendering versus lazy section loading on /earnings/.

• Includes a 10-run matrix for real and synthetic 2025/2026 datasets.
• Reports DOMContentLoaded, section-ready timing, and API-call trade-offs.
• Documents test method and interpretation for public review.

PHP Package Dependency Transparency

Published: 2026-05-07 · ~3 min read

This article documents every PHP package PayCal directly depends on, how CVEs are evaluated, and the principle that drives dependency decisions.

• Documents all runtime and dev-time PHP packages with active-usage justification for each.
• Explains the decision to replace vlucas/phpdotenv with a first-party implementation.
• Covers the 2026-05 CVE audit outcome and our broader dependency philosophy.

Framework at Backend Change Ledger

Published: 2026-03-24 · ~3 min read

This page tracks backend architecture and framework-level changes with public explanations of what changed and why.

• Summarizes service/controller changes that materially affect behavior.
• Maps release changes to security and governance controls.
• Includes references to detailed changelog and audit artifacts.

How We Made the Business Members Page ~100x Faster

Published: 2026-06-09 · ~5 min read

The Business Members page was taking ~1.8 seconds of server time per load. We traced it to an N+1 query pattern and full recomputation on every view, fixed both, and the page now serves from cache in single-digit milliseconds.

• Redis pipelining batches hundreds of sequential round-trips into single round-trips
• A materialized cache stores the finished grid with a 5-minute expiry and eager invalidation
• Cache hits are ~100x+ faster; cache misses are still faster than the old page

Faster Passkey Sign-In Early Access

Published: 2026-06-23 · ~4 min read

PayCal's Early Access passkey shortcut lets an opted-in browser show available passkeys when a user selects Sign in, without requiring an email address first.

• Browser-scoped opt-in with a signed activation cookie.
• Uses Chrome Immediate UI when available, then falls back normally.
• Same server-side WebAuthn verification before any session is created.

Accessibility at Pagsunod sa WCAG

Published: 2026-03-20 · ~4 min read

We use WCAG 2.1 Level AA as our working accessibility standard and publish recent accessibility work in plain language.

• Core navigation supports keyboard use, skip links, and documented single-key shortcuts for primary destinations.
• Shortcut handling is safety-guarded and does not fire while typing in editable fields or when dialogs are open.
• Recent regression coverage checks headings, reflow/text spacing, navigation paths, and the accessibility feedback handoff.
• Strict route-level contrast blockers on core public pages have been remediated, while broader theme-wide contrast work continues.
• Users can start an accessibility report from the accessibility page and continue it through the secure contact flow.
• The accessibility transparency page now publishes last-verified date, verification scope, known limitations, and next review due date.

Basahin ang aming pamantayan sa pagiging naa-access, kamakailang trabaho, at path ng feedback

Arkitektura ng Email

Published: 2026-03-21 · ~3 min read

The email page explains which transactional emails PayCal sends, how templates are rendered, and how delivery reliability is verified.

• Flow-specific template families are documented across verification, recovery, change-email, and contact support paths.
• Delivery responsibilities are separated between EmailGarum orchestration and EmailTransport SMTP protocol handling.
• Opt-in live tests for template sweeps and DKIM/DMARC health verification are documented.

Pamamaraan ng Buwis

Published: 2026-03-09 · ~3 min read

The tax page documents our CRA-aligned formulas, thresholds, and examples used for estimates.

• CPP, OAS, EI, federal/provincial tax, and net-pay formulas are documented with worked examples.
• Current tax-year thresholds and rates are published and tied to CRA references.
• Calculation quality is validated with an automated test suite and annual rate updates.

Magbasa pa

Mapa ng Sistema ng Superheroes

Published: 2026-04-02 · ~2 min read

The Superheroes page documents PayCal's themed cross-cutting components and the specific operational problem each one solves.

• Includes ShadowTalon, Guardian, Phantom Wing, Lens, EmailGarum, Echo, and GoldMaster.
• Explains where each component is used and what risk boundary it protects.
• Provides verification anchors so implementation claims can be inspected directly in code and tests.

GoldMaster

Published: 2026-06-21 · ~3 min read

GoldMaster documents PayCal canonical examples: curated references for code, UI, tests, and architecture that future work should consult before building similar features.

• Golden masters are reference artifacts, not production code.
• The first active example defines PayCal dialog structure, action order, focus behavior, and confirmation patterns.
• The internal editor is admin/dev-only and read-only in the first pass.

Extensions Paradigm

Published: 2026-04-03 · ~3 min read

This article explains how PayCal Core remains stable while extension packages provide configurable behavior for different deployment models.

• Clarifies the separation between PayCal Core and in-repo basic extensions.
• Documents how third parties can build custom extensions from this repository.
• Explains how canonical paycal.app uses private extension variants to differentiate the platform.

Organization Membership and Role Philosophy

Published: 2026-04-09 · ~4 min read

This article explains the Organization <-> Member model, role policy changes, and the capability/scope philosophy used to keep collaboration permissions auditable.

• Documents relationship lifecycle semantics for invites, access requests, approval, and revocation
• Publishes current role posture (owner, manager, contributor, member, viewer)
• Clarifies the principle of backend policy as source of truth with UI as projection only

Mga Pagbabago sa Karanasan sa Produkto at Pagsingil

Published: 2026-03-24 · ~3 min read

Major account, billing, and profile-flow updates are explained alongside backend and testing governance so users can audit both UX and behavior changes.

• Tracks billing-state handling and subscription status contract changes.
• Captures destructive-action safeguards such as explicit account deletion confirmation phrases.
• Links product-facing updates to verification and release governance evidence.