PayCal Technologies Inc.

Security Audit Status

PayCal remains in PASS status as of 2026-03-24 with control-by-architecture safeguards enforced in code, tests, and release governance.

Published:

Verification Metadata

Route metadata

  • Route: /transparency/security-audit/
  • Current status: PASS
  • Last verified:
  • Next review due:

Evidence sources

  • docs/security/GEMINI_SECURITY_AUDIT_HANDOFF_AUDITOR_2026-03-23.md
  • docs/SECURITY_INTERROGATION_EVIDENCE_2026-03-23.md
  • docs/security/PHASE_CLOSURE_PROGRAM.md

This page summarizes public-facing status; detailed technical evidence remains in the linked repository artifacts.

Scope Closed in PASS Cycles 1.042-1.043

  • Workstream A: Correlation governance centralized through broker-evaluated, deny-safe envelopes.
  • Workstream B: Telemetry query governance enforced with stream-scoped tokens and cross-stream join denial.
  • Workstream C: Privileged-role controls hardened with singleton superadmin and mutation guard enforcement.
  • Workstream D: Runtime decrypted-data lifecycle controls completed, including lifecycle zeroization and DOM sensitivity scrub behavior.
  • Workstream E: CSP nonce + strict-dynamic policy and violation ingestion enforcement in production routes.
  • Workstream F: One-shot capability token gates for high-risk admin mutations with denial regression coverage.
  • Workstream G: Browser credential-bridge removal for passkey flows and deterministic credential-derived KEK governance.
  • Workstream H: Runtime integrity monitor state machine (SAFE/DEGRADED/LOCKED/TERMINATED) with telemetry hooks.
  • Workstream I: Guardian sanitizer selector/style hardening with updated coverage anchors.

Validation Snapshot (2026-03-24)

Gate Result Evidence
Playwright lifecycle smoke PASS 8 passed
JS lint and sink checks PASS npm run test:js
PHPStan strict (Level 9) PASS [OK] No errors
Backend PHPUnit suite PASS 1,212 listed tests (release validations passing)

Runtime Lifecycle Closure Summary

  • In-memory crypto state is zeroized on navigation and lifecycle boundaries.
  • Hidden-tab delayed expiry now includes unlocked-state zeroization proof.
  • DOM sensitivity scrub clears runtime payload traces before state reset.
  • Deterministic re-unlock and recovery behavior is regression-tested.

Maintenance Commitments

To preserve PASS status, the following remain release blockers:

Use Case: Blocking an Unsafe Release

If a release candidate introduces a regression in lifecycle zeroization or CSP enforcement, these blocker gates stop promotion until controls and tests are restored, preventing weakened posture from reaching production.

  • tests/smoke-ui/dev-bypass-smoke.spec.js lifecycle regression suite.
  • composer run phpstan:strict with no baseline policy exceptions.
  • Full backend test suite and JS security checks on release candidates.

Any calendar lifecycle, crypto-state, or DOM rendering changes must include corresponding regression updates before release.