Security evidence

We publish evidence so reviewers can verify our security claims. All published artifacts are publish-safe: no secrets, connection strings, hostnames, relay endpoints, or raw logs.

Evidence philosophy

Evidence is generated from production builds and published as sanitized summaries and reviewer packs. We maintain a public record so that third parties can assess what was checked and when. Latest run metadata is published in the GitHub evidence summary.

Latest run

Run metadata from the published summary (when available):

run_date
git_commit
completeness
overall_ok

Full summary and script details are in the summary.json artifact below.

Evidence on GitHub

Canonical evidence artifacts are in our public security repository.

View on GitHub

Downloads:

Evidence summary Reviewer pack Summary (JSON) Browse evidence/latest

You can also use the local copies if deployed:

summary.md reviewer_pack.md summary.json

Evidence is generated by our build pipeline and published as sanitized summaries only. We do not expose build commands, environment configuration, or internal paths on this page. For questions about our process, see the disclosure policy or open an issue in the security repository.

Publish-safe only. Only publish-safe artifacts are posted here. No hostnames, IPs, relay endpoints, or raw logs.
Security Home