๐Ÿ›ก๏ธ High-Assurance API

April 29, 2026 ยท View on GitHub

CI/CD Tests Compliance

A property-tested, compliance-grade financial API platform with 316 automated tests, 100.0% code coverage, and a perfect 100/100 Architecture Score. Designed for strict regulatory environments (Fintech, Healthcare, Banking) โ€” featuring PASETO v4.public cryptography, produces cryptographically signed, timestamped FDA-grade audit bundles and visualized via a Premium Next.js 14 Dashboard.

๐Ÿ“– For recruiters, CTOs, and VCs: See EXPLANATION.md for a full technical overview, SaaS positioning, and interview-ready architecture decisions.


The Sentinel Dashboard

The project features a Project Aegis Sentinel dashboard built with Next.js 14, Framer Motion, and TailwindCSS. It provides real-time telemetry into the 32-tier gauntlet, resource scaling trajectories (O(N) proofs), and hardening directives.

FeatureSentinel Implementation
Real-time SyncDynamic fetching from High-Assurance API backend
Scaling ProofsInteractive Area charts showing compute/memory linear scale
Audit AccessDirect integration for generating executive technical reports
Hardening DirectivesProactive system suggestions (Enclaves, Block Express, Mesh)

Architecture

graph TB
    subgraph Client Layer
        A[Client Request] --> B[Load Balancer / ProxyFix]
    end

    subgraph User Interface
        Z[Sentinel Dashboard] --> B
    end

    subgraph Application Layer
        B --> C[Flask App Factory]
        C --> D[Security Headers Middleware]
        D --> E[Correlation ID + Structured Logging]
        E --> F{Route Blueprints}

        F --> G[auth_routes.py<br>Login ยท Logout ยท PASETO]
        F --> H[transfer_routes.py<br>Transfers ยท Idempotency ยท Outbox]
        F --> I[health_routes.py<br>Health ยท Metrics ยท OpenAPI]
        F --> J[upload_routes.py<br>CSV Validation ยท Schema]
        F --> K[admin_routes.py<br>BOLA-Protected Lookups]
        F --> DA[dashboard_routes.py<br>Audit Stats ยท Complexity Matrix]
    end

    subgraph Data Layer
        G --> L[(PostgreSQL<br>Accounts ยท Idempotency ยท Outbox)]
        H --> L
        K --> L
        G --> M[(Redis<br>Rate Limiting ยท PASETO Revocation)]
        H --> M
    end

    subgraph Async Processing
        L --> N[Outbox Worker<br>Event Publishing]
        N --> O[SQS / Kafka / Email]
    end

    subgraph Observability & Ops
        E --> P[OpenTelemetry<br>Distributed Tracing]
        E --> Q[Prometheus + SLOs<br>Metrics & Error Budgets]
        E --> R[Loki + Grafana<br>SLO Dashboards]
        E --> S[Kubernetes<br>Liveness/Readiness Probes]
    end

    style C fill:#1a1a2e,stroke:#e94560,color:#fff
    style L fill:#0f3460,stroke:#e94560,color:#fff
    style M fill:#0f3460,stroke:#e94560,color:#fff
    style N fill:#16213e,stroke:#e94560,color:#fff
    style Z fill:#0d1527,stroke:#3b82f6,color:#fff

The 32-Tier Testing Strategy

Three phases guarantee correctness, security, and operational resilience:

Phase 1 โ€” Core Logic & Security (Tiers 1โ€“12)

TierCategoryWhat It Validates
1Functional / BVABoundary value analysis on all inputs
2SecurityTiming attacks, SSRF, XSS, BOLA, injection
3ResilienceIdempotency keys, replay protection
4ComplianceSOC 2, PCI DSS, FDA 21 CFR audit trails
5ContractOpenAPI schema conformance (Schemathesis)
6DatabaseACID rollbacks, state isolation
7CSV SecurityPandera schema + injection sanitization
8AuthorizationBOLA containment, MCP boundaries
9Secrets MgmtAWS Secrets Manager (moto)
10Vault IntegrationHashiCorp Vault key rotation mocking
11BOLA ExtendedCross-tenant database isolation
12PASETO IntegrityEd25519 signature verification

Phase 2 โ€” Integration & Performance (Tiers 13โ€“24)

TierCategoryWhat It Validates
13Outbox PatternTransactional event publishing
14IntegrationCORS, contracts, network seams
15ObservabilityCorrelation ID, structured logging
16Rate LimitingIP + user brute-force lockout
17Infra DriftAWS config via moto mocks
18PerformanceBenchmark regression gates
19ConcurrencyDouble-spend prevention
20Dashboard APITelemetry endpoint response data
21Complexity ProofO(N) linear compute verification
22Tracing PropOTEL context propagation checks
23SLO BudgetingError budget exhaustion alerts
24Report DeliveryDynamic SonarQube Compliance Report

Phase 3 โ€” Operational Safeguards (Tiers 25โ€“32)

TierCategoryWhat It Validates
25DB GuardsDestructive operation protection
26Two-Person RuleCODEOWNERS enforcement
27DASTOWASP ZAP (117 rules scanned)
28RollbacksBlue/Green canary simulation
29Disaster RecoveryBackup integrity, RTO/RPO
30Policy-as-CodeOPA/Rego policy enforcement
31InfrastructureCheckov 100% score (13 alerts resolved)
32Quality GatesComplexity Gate (Threshold 15) + Trivy + Mutmut

Project Structure

high-assurance-api/
โ”œโ”€โ”€ src/                          # Application source (100.0% coverage)
โ”‚   โ”œโ”€โ”€ main.py                   # App factory + Blueprint registration
โ”‚   โ”œโ”€โ”€ auth.py                   # PASETO v4, password hashing, user store
โ”‚   โ”œโ”€โ”€ config.py                 # Centralized configuration constants
โ”‚   โ”œโ”€โ”€ database.py               # SQLAlchemy engine + session factory
โ”‚   โ”œโ”€โ”€ models.py                 # Account, IdempotencyKey, OutboxEvent (Numeric balance)
โ”‚   โ”œโ”€โ”€ security.py               # HTTP security headers (OWASP)
โ”‚   โ”œโ”€โ”€ telemetry.py              # OpenTelemetry distributed tracing
โ”‚   โ”œโ”€โ”€ csv_validator.py          # Pandera CSV validation + injection defense
โ”‚   โ”œโ”€โ”€ egress_client.py          # SSRF-safe HTTP client
โ”‚   โ”œโ”€โ”€ report_generator.py       # Dynamic executive technical reporting
โ”‚   โ”œโ”€โ”€ worker.py                 # Transactional Outbox processor
โ”‚   โ”œโ”€โ”€ logger.py                 # Structured JSON logging (structlog)
โ”‚   โ””โ”€โ”€ routes/                   # Flask Blueprints
โ”œโ”€โ”€ apps/
โ”‚   โ””โ”€โ”€ compliance-dashboard/     # Next.js 14 Sentinel Dashboard
โ”œโ”€โ”€ tests/                        # 316 tests across 32 tiers
โ”œโ”€โ”€ policies/                     # OPA Rego policy files
โ”œโ”€โ”€ .github/                      # CI/CD (Master Pipeline)
โ”œโ”€โ”€ docs/                         # Operational docs, SRE runbooks
โ”œโ”€โ”€ openapi.yaml                  # OpenAPI 3.0 specification
โ”œโ”€โ”€ PIPELINE.md                   # ๐ŸŒ Visual CI/CD Architecture & Gauntlet Logic
โ”œโ”€โ”€ docker-compose.yml            # Full stack (API + DB + Redis + Grafana)
โ”œโ”€โ”€ k8s/                          # Kubernetes Deployment & Probes
โ”œโ”€โ”€ Dockerfile                    # Production container (non-root, slim)
โ”œโ”€โ”€ EXPLANATION.md                # For recruiters, CTOs, VCs
โ””โ”€โ”€ hsa                           # CLI tool for running validation tiers

Quick Start

# Clone and setup
git clone https://github.com/GauravSahu2/high-assurance-api.git
cd high-assurance-api
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt

# Run Inner Loop (Logic + Security + Performance) โ€” ~30 seconds
hsa -i

# Run Full 32-Tier Gauntlet โ€” ~3 minutes
hsa -a

# Deploy locally with full stack
docker compose up -d
curl http://localhost:5000/health

The hsa CLI

hsa -i          # Inner Loop: 316 tests + 100% coverage + fuzzing + benchmarks
hsa -a          # Full Gauntlet: Static scans + DAST + ZAP + performance + Sonar
hsa scan .      # Polyglot SAST/SCA/Secrets on any folder

CI/CD Pipeline

9 GitHub Actions workflows run on every push:

WorkflowPurpose
ci.ymlCore test suite + 100.0% coverage gate
high-assurance-pipeline.ymlFull 32-tier gauntlet
devsecops.ymlSecurity scan orchestration (Gitleaks, Trivy)
fda_pipeline.ymlFDA 21 CFR audit bundle generation
fossa_scan.ymlLicense compliance scanning
iac_scanner.ymlInfrastructure-as-Code scanning (Checkov)
leakix_scan.ymlSecret/leak detection
gitops.ymlGitOps deployment triggers
visualization.ymlTest result visualization

Security Controls

ControlImplementation
AuthenticationPASETO v4.public with Ed25519 signatures
Timing ResistanceDUMMY_HASH for non-existent users (constant-time bcrypt)
Supply Chain DefenseOX Security for Pipeline Bill of Materials (PBOM)
SSRF ProtectionEgress client blocks all private/metadata IPs
Rate LimitingIP + user-level lockout (5 attempts, 1-hour TTL)
BOLA PreventionRole-based + ownership checks on all data endpoints
CSV InjectionPrefix stripping (=, +, -, @, \t, \r) + Pandera schema
Security HeadersCSP, HSTS, X-Frame-Options, X-XSS-Protection, Referrer-Policy
CORSWhitelist-only (no wildcards)
Audit TrailAppend-only OutboxEvent with timestamps (FDA-grade)

Compliance Mapping

StandardControls Tested
SOC 2 CC7.2โ€“CC7.4Security event logging, audit trail completeness
PCI DSS 10.1โ€“10.7Card data access logging, failed login tracking
FDA 21 CFR ยง11.10Immutable timestamps, electronic signatures, audit trails
GDPR Art. 25Data minimization, consent management, right to erasure

Best Practices

  • PASETO v4.public โ€” Hard-coded algorithm rigidity (Ed25519) to prevent downgrade attacks
  • Complexity Gates (Threshold 15) โ€” Strictly enforced Cyclomatic and Cognitive complexity
  • Numeric(12,2) for monetary values โ€” prevents IEEE 754 floating-point errors
  • Ordered lock acquisition (sorted([sender, receiver])) โ€” prevents deadlocks
  • Transactional Outbox โ€” avoids dual-write problems without distributed transactions
  • Structured JSON logging with correlation IDs โ€” tracing across services
  • Supply Chain Security โ€” OX Security integrated into CI/CD for PBOM generation
  • Policy-as-Code (OPA/Rego) โ€” security invariants enforced programmatically
  • CODEOWNERS โ€” two-person rule on all critical paths

Contact & License

๐Ÿ”’ ยฉ 2026 Gaurav Sahu โ€” High-Assurance Quality Engineering

This repository is maintained strictly for portfolio demonstration and personal practice purposes.

Proprietary Work: This is not an open-source project. All rights are reserved.

Contact: linkedin.com/in/gauravsahu22 | gauravsahu2203@gmail.com