Every layer we run, and how to verify it
Buyer diligence usually arrives as a security questionnaire. Vendor fills it out, buyer takes it on faith. We'd rather publish the actual scaffolding and give you the URLs to verify each claim independently. Below: 17 defensive layers running across the Kinetic Gain estate, what each one does, and a public artifact you can read or query without talking to us. No "compliant" or "certified" claims appear on this page. That vocabulary belongs to audits, not to scaffolding.
uses: lines1. Disclosure surface
How a researcher reports a vulnerability matters more than how nicely we phrase the rest of this page. All three artifacts below are live and machine-readable.
| Layer | What it is | Verify |
|---|---|---|
| RFC 9116 security.txt | Standardized contact + disclosure policy at a well-known URL. Crawlable by automated bug-bounty tooling. | /.well-known/security.txt |
| SECURITY.md on the SDK | Per-repo coordinated-disclosure policy for the Kinetic Gain Embedded npm package, the only surface that runs on customer infrastructure. | github.com/mizcausevic-dev/kinetic-gain-embedded/blob/main/SECURITY.md |
| SECURITY.md on every Marketplace Action | 24/24 published GitHub Actions ship with their own SECURITY.md so researchers don't have to guess where to send findings for the Action that broke. | any of the 24 Action repos on github.com/mizcausevic-dev |
2. Supply chain
The supply chain is where almost every real-world software compromise starts. Five layers cover four phases: what we pull in, what we publish, what an attacker could substitute, and what changed since last week.
| Layer | What it is | Verify |
|---|---|---|
| Dependabot (org-wide) | Weekly grouped updates across npm, pip, cargo, gomod, bundler, composer + github-actions. Security advisories open their own PRs immediately at any severity. | 410 repos |
| npm provenance | Every @kineticgain/embedded release is published with --provenance. Sigstore signs the build at publish time, npm verifies the supply-chain attestation, the green ✓ on the registry page is the visible proof. | npmjs.com/package/@kineticgain/embedded |
| CycloneDX SBOM | Every KGE release attaches a CycloneDX 1.5 SBOM to its GitHub Release. MCP Kinetic Gain ships one too. Lists every direct + transitive dep with versions + license info. | Release assets → sbom/cyclonedx.json |
| Action SHA pinning | Every uses: org/action@vX in our workflows is pinned to a 40-char commit SHA with the tag preserved in a trailing comment. Defeats sliding-tag substitution attacks (compromise the action repo, repoint v4 to a malicious commit, our workflows still run the audited SHA). | 558 lines pinned across 98 repos |
| npm audit CI gate | The KGE CI workflow runs npm audit --omit=dev --audit-level=info on every push + PR. Surfaces known CVEs in production deps before they merge. | KGE CI workflow runs on each PR |
3. Static analysis
Finds the classes of bug that humans miss on review, taint flow, dangerous workflow patterns, deprecated triggers, shell-injection in run: steps.
| Layer | What it is | Verify |
|---|---|---|
| CodeQL (default-setup) | GitHub's CodeQL with the security-extended query suite. Languages auto-detected per repo (JS/TS, Python, C#, Java, Go, Actions). Findings land in each repo's Security tab. | 98 repos (5 strategic + 93 squad-era v1.0-prod) |
| actionlint | Static analysis specifically for GitHub Actions workflows. Catches what runtime can't: bad triggers, invalid expressions, dangerous shell patterns, missing job deps. Path-filtered so it only runs when workflow files change. | 93 repos |
| CodeScan (org-wide github-actions language) | The CodeQL default setup includes the actions language, which scans workflow YAML itself for dangerous patterns (script injection via ${{ github.event.* }}, etc.). Distinct from actionlint's lexical checks. | per-repo Security → Code scanning |
4. Posture monitoring
The OpenSSF Scorecard is an industry-standard scoring rubric for open-source security posture. It's run by an independent project (Google + OpenSSF maintainers), not by us, and it grades repos against a published checklist (branch protection, pinned actions, signed releases, license, weak deps, exposed secrets, etc.).
| Layer | What it is | Verify |
|---|---|---|
| OpenSSF Scorecard | Weekly run + on every push to main. publish_results: true sends the score to the public Scorecard API so anyone can look it up without our cooperation. | scorecard for KGE |
| Workflow permissions scoping | Every CI workflow declares permissions: contents: read as the explicit baseline. Workflows that need write permission (SBOM upload, GitHub Pages deploy) declare exactly what they need at the job level, not the workflow level. | 93 workflows scoped |
5. Cryptographic signing
Every machine-readable claim Kinetic Gain publishes at kineticgain.com/.well-known/ is signed with the same ed25519 keypair, so an attacker who compromises the Hostinger FTP credentials can't silently rewrite our published policies. The deploy pipeline re-verifies all 11 signatures before publishing.
| Layer | What it is | Verify |
|---|---|---|
| ed25519 keypair | One key, used to sign every /.well-known/ Suite document plus AI Procurement Pulse receipts. Public key + canonicalization algorithm published. | /.well-known/pulse-signing.json |
| 11 Suite docs signed | AEO, audit-stream, evidence-bundle, decision-card, etc. Each one's signature is roundtrip-verified before deploy. | /.well-known/security.txt (RFC 9116 contact); individual signed docs are linked from /trust/signing-policy/ |
| Deploy-time signature gate | Apex CI re-canonicalizes + re-verifies all 11 docs on every push. If any signature drifts, the deploy fails before FTP upload. Documented case study: the 2026-06-01 drift incident. | signing-policy/ |
6. Transport + browser-layer headers
Defense against the user's own browser being weaponized, clickjacking frames, mixed content, leaking referrers, MIME-sniffing, cross-origin embedding.
| Header | What it blocks | Where |
|---|---|---|
| HSTS (1-year, includeSubDomains) | Strips the ability to downgrade to HTTP, even on first visit if user is on the preload list. | apex + 100+ subdomains |
| Content-Security-Policy | Locks default sources to 'self'; restricts frame-ancestors to 'none'; blocks object-src; upgrades insecure requests. | apex .htaccess |
| X-Frame-Options: DENY | Belt-and-suspenders alongside CSP frame-ancestors. Defeats classic clickjacking. | apex .htaccess |
| Referrer-Policy: strict-origin-when-cross-origin | Limits what gets leaked in the Referer header to external sites. | apex .htaccess |
| COEP / COOP / Permissions-Policy | Cross-origin isolation; disables sensors, geolocation, autoplay, payment, microphone, camera, etc. for the entire estate. | apex + spokes |
What this page is not
Honest scope
What this page is: a public inventory of the defensive scaffolding running across the Kinetic Gain estate, with verifiable links for each claim.
What this page is not: an audit report, a SOC 2 attestation, a HIPAA Business Associate Agreement, an ISO 27001 certificate, a GDPR adequacy decision, or any other framework attestation. None of the layers below "satisfy" or "meet" any compliance framework on their own. They organize what we already do so that audit conversations can be specific instead of vague.
The Trust Pack vocabulary discipline applies: readiness · evidence · posture · controls · scaffolding, never "certified" or "compliant" unless we're truly audited and currently attested. We aren't. We say so out loud.
Coordinated disclosure
If you find a vulnerability anywhere in scope, please use GitHub Security Advisories on the affected repo, or follow the contact in /.well-known/security.txt. We commit to acknowledging within 72 hours.
Out-of-scope: anything claiming to be a Kinetic Gain property that isn't under kineticgain.com, *.kineticgain.com, @kineticgain on npm, or mizcausevic-dev/* on GitHub. The full in-scope list is in security.txt.