{ "packVersion": "1.0.0", "generatedAt": "2026-05-25T00:27:54.131692+00:00", "methodology": "Claims mapped to repository file paths; snippets extracted via pattern match.", "honestyNote": "Contractual controls are Operator commitments. Implemented controls reflect current open-source codebase.", "claims": [ { "id": "no-training", "statement": "Pilot Data is not used to train foundation models.", "status": "contractual", "evidence": [ "marketing/public/security/pilot-data-addendum.md" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "marketing/public/security/pilot-data-addendum.md", "exists": true, "snippets": [ "# Pilot Data Addendum **GovProposal Operations \u00b7 Operated by FedShredder** This", "# Pilot Data Addendum **GovProposal Operations \u00b7 Operated by FedShredder** This", "# Pilot Data Addendum **GovProposal Operations \u00b7 Operated by FedShredder** This " ] } ] }, { "id": "gemini-subprocessor", "statement": "Gemini API is the named LLM subprocessor for extraction.", "status": "implemented", "evidence": [ "marketing/public/security/subprocessor-register.json", "backend/services/ai_service.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "marketing/public/security/subprocessor-register.json", "exists": true, "snippets": [ "{ \"registerVersion\": \"1.0.0\", \"lastUpdated\": \"2026-05-25\"", "{ \"registerVersion\": \"1.0.0\", \"lastUpdated\": \"2026-05-25\"", "{ \"registerVersion\": \"1.0.0\", \"lastUpdated\": \"2026-05-25\", \"operator\": \"FedShredder\"," ] }, { "path": "backend/services/ai_service.py", "exists": true, "snippets": [ "t__(self): api_key = os.getenv(\"GEMINI_API_KEY\") or os.getenv(\"API_KEY\") if not api_key: ", "(\"Gemini API key is missing. Please set GEMINI_API_KEY in your environment variables.\") genai.con", "-flash\") self.model_pro = genai.GenerativeModel(pro_model) self.model_flash = genai.GenerativeModel" ] } ] }, { "id": "cors-localhost", "statement": "Backend CORS is restricted to localhost dev origins.", "status": "implemented", "evidence": [ "backend/main.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "backend/main.py", "exists": true, "snippets": [ "add_middleware( CORSMiddleware, allow_origins=[\"http://localhost:3000\", \"http://127.0.0.1:3000\"], allow_cred", "orm from fastapi.middleware.cors import CORSMiddleware from fastapi.responses import JSONResponse, Response from p", "CORS middleware app.add_middleware( CORSMiddleware, allow_origins=[\"http://localhost:3000\", \"http://127.0." ] } ] }, { "id": "chroma-telemetry-off", "statement": "ChromaDB anonymized telemetry is disabled.", "status": "implemented", "evidence": [ "backend/services/vector_store.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "backend/services/vector_store.py", "exists": true, "snippets": [ "=db_path, settings=Settings(anonymized_telemetry=False) ) # Get or create collectio" ] } ] }, { "id": "html-sanitize", "statement": "AI HTML output strips script tags.", "status": "implemented", "evidence": [ "backend/services/ai_service.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "backend/services/ai_service.py", "exists": true, "snippets": [ "t__(self): api_key = os.getenv(\"GEMINI_API_KEY\") or os.getenv(\"API_KEY\") if not api_key: ", "(\"Gemini API key is missing. Please set GEMINI_API_KEY in your environment variables.\") genai.con", "-flash\") self.model_pro = genai.GenerativeModel(pro_model) self.model_flash = genai.GenerativeModel" ] } ] }, { "id": "scanned-pdf-block", "statement": "Scanned/low-text PDFs return blocking OCR-required error.", "status": "implemented", "evidence": [ "backend/processors/ingestion.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "backend/processors/ingestion.py", "exists": true, "snippets": [ " blocking_error = ( f\"OCR Required - Scanned Document Detected \" f\"({best.char", "alueError( \"This PDF is password-protected. Please provide an unlocked version.\" ) ", "Error( \"This PDF is password-protected. Please provide an unlocked version.\" ) " ] } ] }, { "id": "no-auth", "statement": "Multi-tenant authentication is not implemented in the app.", "status": "not_implemented", "evidence": [ "backend/main.py" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "backend/main.py", "exists": true, "snippets": [ "add_middleware( CORSMiddleware, allow_origins=[\"http://localhost:3000\", \"http://127.0.0.1:3000\"], allow_cred", "orm from fastapi.middleware.cors import CORSMiddleware from fastapi.responses import JSONResponse, Response from p", "CORS middleware app.add_middleware( CORSMiddleware, allow_origins=[\"http://localhost:3000\", \"http://127.0." ] } ] }, { "id": "localstorage-persistence", "statement": "Frontend persists projects in browser localStorage without server encryption.", "status": "implemented", "evidence": [ "frontend/services/storageService.ts" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "frontend/services/storageService.ts", "exists": true, "snippets": [ "ects.push(stored); } localStorage.setItem(STORAGE_KEY, JSON.stringify(projects)); ", "roject for backward compatibility localStorage.setItem(CURRENT_PROJECT_KEY, JSON.stringify(stored)); }", "d current project const current = localStorage.getItem(CURRENT_PROJECT_KEY); if (current) { " ] } ] }, { "id": "no-soc2-claim", "statement": "SOC 2 is roadmap only \u2014 not claimed as certified.", "status": "disclosed", "evidence": [ "marketing/lib/security-pack.ts" ], "evidenceVerified": true, "evidenceDetails": [ { "path": "marketing/lib/security-pack.ts", "exists": true, "snippets": [ "/** CISO-ready security packet \u2014 honest boundaries, no FedRAMP theater. */ export const SECURITY_PACK = { title: \"Sec", "onest boundaries, no FedRAMP theater. */ export const SECURITY_PACK = { title: \"Security & data h", "nest boundaries, no FedRAMP theater. */ export const SECURITY_PACK = { title: \"Security & data ha" ] } ] } ], "controlsMatrixRows": 20 }