Every layer we run, and how to verify it
Buyer diligence usually arrives as a security questionnaire — vendor fills it out, buyer takes it on faith. We'd rather publish the actual scaffolding and give you the URLs to verify each claim independently. Below: 17 defensive layers running across the Kinetic Gain estate, what each one does, and a public artifact you can read or query without talking to us. No "compliant" or "certified" claims appear on this page — that vocabulary belongs to audits, not to scaffolding.
uses: lines1. Disclosure surface
How a researcher reports a vulnerability matters more than how nicely we phrase the rest of this page. All three artifacts below are live and machine-readable.
| Layer | What it is | Verify |
|---|---|---|
| RFC 9116 security.txt | Standardized contact + disclosure policy at a well-known URL. Crawlable by automated bug-bounty tooling. | /.well-known/security.txt |
| SECURITY.md on the SDK | Per-repo coordinated-disclosure policy for the Kinetic Gain Embedded npm package — the only surface that runs on customer infrastructure. | github.com/mizcausevic-dev/kinetic-gain-embedded/blob/main/SECURITY.md |
| SECURITY.md on every Marketplace Action | 24/24 published GitHub Actions ship with their own SECURITY.md so researchers don't have to guess where to send findings for the Action that broke. | any of the 24 Action repos on github.com/mizcausevic-dev |
2. Supply chain
The supply chain is where almost every real-world software compromise starts. Five layers cover four phases: what we pull in, what we publish, what an attacker could substitute, and what changed since last week.
| Layer | What it is | Verify |
|---|---|---|
| Dependabot (org-wide) | Weekly grouped updates across npm, pip, cargo, gomod, bundler, composer + github-actions. Security advisories open their own PRs immediately at any severity. | 226 repos |
| npm provenance | Every @kineticgain/embedded release is published with --provenance — Sigstore signs the build at publish time, npm verifies the supply-chain attestation, the green ✓ on the registry page is the visible proof. | npmjs.com/package/@kineticgain/embedded |
| CycloneDX SBOM | Every KGE release attaches a CycloneDX 1.5 SBOM to its GitHub Release. MCP Kinetic Gain ships one too. Lists every direct + transitive dep with versions + license info. | Release assets → sbom/cyclonedx.json |
| Action SHA pinning | Every uses: org/action@vX in our workflows is pinned to a 40-char commit SHA with the tag preserved in a trailing comment. Defeats sliding-tag substitution attacks (compromise the action repo, repoint v4 to a malicious commit — our workflows still run the audited SHA). | 419 lines pinned across 58 repos |
| npm audit CI gate | The KGE CI workflow runs npm audit --omit=dev --audit-level=info on every push + PR. Surfaces known CVEs in production deps before they merge. | KGE CI workflow runs on each PR |
3. Static analysis
Finds the classes of bug that humans miss on review — taint flow, dangerous workflow patterns, deprecated triggers, shell-injection in run: steps.
| Layer | What it is | Verify |
|---|---|---|
| CodeQL (default-setup) | GitHub's CodeQL with the security-extended query suite. Languages auto-detected per repo (JS/TS, Python, C#, Java, Go, Actions). Findings land in each repo's Security tab. | 58 repos (5 strategic + 53 squad-era v1.0-prod) |
| actionlint | Static analysis specifically for GitHub Actions workflows. Catches what runtime can't: bad triggers, invalid expressions, dangerous shell patterns, missing job deps. Path-filtered so it only runs when workflow files change. | 58 repos |
| CodeScan (org-wide github-actions language) | The CodeQL default setup includes the actions language, which scans workflow YAML itself for dangerous patterns (script injection via ${{ github.event.* }}, etc.). Distinct from actionlint's lexical checks. | per-repo Security → Code scanning |
4. Posture monitoring
The OpenSSF Scorecard is an industry-standard scoring rubric for open-source security posture. It's run by an independent project (Google + OpenSSF maintainers), not by us, and it grades repos against a published checklist (branch protection, pinned actions, signed releases, license, weak deps, exposed secrets, etc.).
| Layer | What it is | Verify |
|---|---|---|
| OpenSSF Scorecard | Weekly run + on every push to main. publish_results: true sends the score to the public Scorecard API so anyone can look it up without our cooperation. | scorecard for KGE |
| Workflow permissions scoping | Every CI workflow declares permissions: contents: read as the explicit baseline. Workflows that need write permission (SBOM upload, GitHub Pages deploy) declare exactly what they need at the job level, not the workflow level. | 93 workflows scoped |
5. Cryptographic signing
Every machine-readable claim Kinetic Gain publishes at kineticgain.com/.well-known/ is signed with the same ed25519 keypair, so an attacker who compromises the Hostinger FTP credentials can't silently rewrite our published policies. The deploy pipeline re-verifies all 11 signatures before publishing.
| Layer | What it is | Verify |
|---|---|---|
| ed25519 keypair | One key, used to sign every /.well-known/ Suite document plus AI Procurement Pulse receipts. Public key + canonicalization algorithm published. | /.well-known/pulse-signing.json |
| 11 Suite docs signed | AEO, audit-stream, evidence-bundle, decision-card, etc. Each one's signature is roundtrip-verified before deploy. | /.well-known/security.txt (RFC 9116 contact); individual signed docs are linked from /trust/signing-policy/ |
| Deploy-time signature gate | Apex CI re-canonicalizes + re-verifies all 11 docs on every push. If any signature drifts, the deploy fails before FTP upload. Documented case study: the 2026-06-01 drift incident. | signing-policy/ |
6. Transport + browser-layer headers
Defense against the user's own browser being weaponized — clickjacking frames, mixed content, leaking referrers, MIME-sniffing, cross-origin embedding.
| Header | What it blocks | Where |
|---|---|---|
| HSTS (1-year, includeSubDomains) | Strips the ability to downgrade to HTTP, even on first visit if user is on the preload list. | apex + 100+ subdomains |
| Content-Security-Policy | Locks default sources to 'self'; restricts frame-ancestors to 'none'; blocks object-src; upgrades insecure requests. | apex .htaccess |
| X-Frame-Options: DENY | Belt-and-suspenders alongside CSP frame-ancestors. Defeats classic clickjacking. | apex .htaccess |
| Referrer-Policy: strict-origin-when-cross-origin | Limits what gets leaked in the Referer header to external sites. | apex .htaccess |
| COEP / COOP / Permissions-Policy | Cross-origin isolation; disables sensors, geolocation, autoplay, payment, microphone, camera, etc. for the entire estate. | apex + spokes |
What this page is not
Honest scope
What this page is: a public inventory of the defensive scaffolding running across the Kinetic Gain estate, with verifiable links for each claim.
What this page is not: an audit report, a SOC 2 attestation, a HIPAA Business Associate Agreement, an ISO 27001 certificate, a GDPR adequacy decision, or any other framework attestation. None of the layers below "satisfy" or "meet" any compliance framework on their own — they organize what we already do so that audit conversations can be specific instead of vague.
The Trust Pack vocabulary discipline applies: readiness · evidence · posture · controls · scaffolding — never "certified" or "compliant" unless we're truly audited and currently attested. We aren't. We say so out loud.
Coordinated disclosure
If you find a vulnerability anywhere in scope, please use GitHub Security Advisories on the affected repo, or follow the contact in /.well-known/security.txt. We commit to acknowledging within 72 hours.
Out-of-scope: anything claiming to be a Kinetic Gain property that isn't under kineticgain.com, *.kineticgain.com, @kineticgain on npm, or mizcausevic-dev/* on GitHub. The full in-scope list is in security.txt.