Security engineering

PCI-focused safeguards in Truenote

Completed software safeguards and passed repository checks that support secure development for organizations operating a PCI DSS cardholder data environment.

Current as of July 17, 2026Completed work onlyRepository evidence linked
Plain-language context

PCI DSS includes secure-software requirements for systems that are inside, or can affect, a cardholder data environment. For an application such as Truenote, that means disciplined software development, vulnerability detection, protection against common web attacks, and controlled releases. The safeguards below are the parts Truenote has completed and tested in this repository.

Completed safeguards

Each item below is backed by implementation, documentation, or a passed repository acceptance check.

01

Secure development lifecycle

A Truenote-specific lifecycle defines security responsibilities from design and threat review through testing, release, and post-change verification.

02

Threat-driven testing

A documented threat model covers application, AI, provider, authorization, data, and PCI-impact boundaries. Negative tests exercise fail-closed behavior.

03

Pre-provider data screening

Deterministic high-risk input is checked before persistence and before calls to embedding, reranking, answer, and utility-model providers.

04

Model-output screening

Sensitive generated text is blocked before a normal answer is returned. Missing or invalid citations also produce a refusal.

05

Server-side access boundaries

Program and classification limits are applied before retrieval and checked again before protected content can reach generation or citation lookup.

06

Controlled content activation

Source, file, scan, parsing, lifecycle, and role checks must pass before knowledge content becomes available to users.

07

Automated security analysis

The delivery workflow runs CodeQL, secret scanning, dependency auditing, software bill of materials generation, type checks, builds, and unit tests.

08

Controlled change records

A tool-neutral change procedure and record format capture reason, impact, authorization, review, testing, deployment, recovery, and post-change verification.

09

Tamper-evident audit logic

Security events use append-only hash chaining. Durable SIEM delivery logic includes signed payloads, retry leases, backoff, and dead-letter handling.

Checks that passed

These results verify the repository implementation and its documented evidence package.

Access isolation

Negative tests denied cross-program and above-clearance retrieval, citation access, and document reads.

AI input boundary

Portable tests captured provider payloads and confirmed deterministic redaction before supported provider calls.

Citation and refusal rules

Tests rejected missing, malformed, unknown, and out-of-range citations and refused sensitive model output.

Browser request defense

Tests accepted trusted same-origin mutations and rejected foreign, opaque, malformed, cross-site, and sibling-origin requests.

Audit delivery logic

Tests passed signed delivery, lease fencing, retry scheduling, dead-letter handling, and delivery-health behavior.

Security delivery pipeline

Hosted checks passed type checking, production build, unit tests, secret scan, dependency audit and SBOM, and CodeQL analysis.

Open the complete public evidence set

Every completed safeguard and passed check named above is represented below. Each card opens the exact public repository document, implementation, test, or workflow record in a new tab.