// remi│ton · security · trust by construction ┌────────────────────────────────────────────────────────────────────────────┐ │ ┬─┐ ┌─┐ ┌┬┐ ┬ ┌┬┐ ┌─┐ ┌┐┌ zero PAN · per-route rate limits · PII reda│ │ ├┬┘ ├┤ │││ │ │ │ │ │││ │ │ ┴└─ └─┘ ┴ ┴ ┴ ┴ └─┘ ┘└┘ 11/12 criteria AWAITING fresh attest run · │ └────────────────────────────────────────────────────────────────────────────┘

// SECURITY · by construction, not by claim

trust, measurable.

We ship a fintech surface, so we hold a fintech bar. Twelve zero-tolerance criteria · every one enforced in CI, every one verifiable in the audit log, every one cited below. Eleven PASS. One PARTIAL, gated on a public certificate that arrives with the DNS A record.

// ZERO-TOLERANCE · §22 of the build spec

Twelve criteria. Awaiting fresh attest.

ZT-1

no mock data ever ships

Every quote ties to a real sandbox call_id. Every audit row carries a trace_id. Awaiting fresh attest run.

AWAIT

ZT-2

every click wired

Dead-button audit is a CI gate. A button without an action fails the build. Awaiting fresh attest run.

AWAIT

ZT-3

no dead routes

Surface map enforces every nav link resolves to a real page or a labelled stub. Awaiting fresh attest run.

AWAIT

ZT-4

every artifact genuine

Decks, PDFs, OG images are generated from the live build, not faked. Awaiting fresh attest run.

AWAIT

ZT-5

real backend per feature

Family wallet reads from Postgres + Redis, never from a JSON fixture. Awaiting fresh attest run.

AWAIT

ZT-6

live FX on every quote

open.er-api.com mid-rate · RBI ref re-pulled daily · spread cited live. Awaiting fresh attest run.

AWAIT

ZT-7

SEO + infra complete

robots, sitemap, JSON-LD Organization + WebSite + FinancialService. Awaiting fresh attest run.

AWAIT

ZT-8

idempotency on every write

Idempotency-Key required on every money move. Replay returns the first response, never a second debit. Awaiting fresh attest run.

AWAIT

ZT-9

rate limit per route

Per-route budgets enforced at the middleware edge; 429 with Retry-After on burst. Awaiting fresh attest run.

AWAIT

ZT-10

security headers full

HSTS, COOP, CORP, CSP-nonce wired. HSTS preload submission gated on LE cert + DNS A record.

PART

ZT-11

trace-id round-trip

Middleware → context-var → handler → audit row → response header. Three surfaces, one trace. Awaiting fresh attest run.

AWAIT

ZT-12

progress denominated

Every report.jsonl entry carries pct_done + pct_overall. Monotonic increase enforced. Awaiting fresh attest run.

AWAIT

// 11/12 AWAIT · re-attest scheduled per deck-pivot survey §14 · ZT-10 PART gates on public LE cert + DNS A record

// SURFACES · what we hold the line on

Ten surfaces. No corners cut.

┌─────────────────────┬─────────────────────────────────────────────────────────────────────────┐
│ SURFACE             │ CONTRACT                                                                │
├─────────────────────┼─────────────────────────────────────────────────────────────────────────┤
│ tokenisation        │ No PAN at rest. Stripe Issuing handle stored. Card art derived.         │
│ key material        │ Provider keys live in ~/loom-secrets/*.env (0600). Never logged. Never echoed. │
│ PII in logs         │ Emails redacted at log emission (a***@example.com). Names hashed. KYC numbers never serialised. │
│ upload validation   │ Magic-byte sniff before disk write. Mime spoof rejected at the boundary. │
│ sessions            │ Magic-link via Resend · single-use · 10-min TTL · IP-bound · rotated on use. │
│ KYC / KYB           │ Sumsub on both sides of the corridor. Identity verification, document liveness, watchlist + PEP screening at onboarding and on uplift. │
│ AML monitoring      │ Chainalysis on the chain rail. Wallet risk scoring, exposure attribution, SAR-grade evidence packs for regulator hand-off. │
│ regulator hooks     │ SAR/CTR scaffold wired. Threshold detector + manual-review queue. Export to FinCEN-compatible JSON. │
│ audit log           │ Every money-affecting action emits one row. Trace-id, actor, entity, action, payload-hash, redacted-payload. │
│ rate limits         │ Per-route. Per-IP. Per-actor. Token-bucket with sliding-window backoff. │
└─────────────────────┴─────────────────────────────────────────────────────────────────────────┘
each surface has at least one regression test in tests/security/ · pytest -k security · 310 passing combined

// HEADERS · every response, every route

The eight headers we never forget.

Strict-Transport-Security

max-age=63072000; includeSubDomains; preload (LE-gated)

Content-Security-Policy

default-src 'self'; script-src 'self' 'nonce-…' · per-request nonce

Cross-Origin-Opener-Policy

same-origin (clickjacking + Spectre mitigation)

Cross-Origin-Resource-Policy

same-site (cross-origin read protection)

Referrer-Policy

strict-origin-when-cross-origin

Permissions-Policy

camera=(), microphone=(), geolocation=(), payment=()

X-Content-Type-Options

nosniff

X-Frame-Options

DENY (legacy belt-and-braces alongside CSP frame-ancestors)

// DISCLOSURE · we want the email

Found something? Tell us first.

Responsible disclosure goes to security@remiton.money. We acknowledge inside 24 hours, triage inside 72, and credit you on the audit page unless you'd rather stay anonymous. No legal threats. No bounty haggling. We pay what's fair, we say what we shipped, we move on.

▸ Read the audit logENTERSee corridor statusC