๐ก๏ธ High-Assurance API
April 29, 2026 ยท View on GitHub
A property-tested, compliance-grade financial API platform with 316 automated tests, 100.0% code coverage, and a perfect 100/100 Architecture Score. Designed for strict regulatory environments (Fintech, Healthcare, Banking) โ featuring PASETO v4.public cryptography, produces cryptographically signed, timestamped FDA-grade audit bundles and visualized via a Premium Next.js 14 Dashboard.
๐ For recruiters, CTOs, and VCs: See EXPLANATION.md for a full technical overview, SaaS positioning, and interview-ready architecture decisions.
The Sentinel Dashboard
The project features a Project Aegis Sentinel dashboard built with Next.js 14, Framer Motion, and TailwindCSS. It provides real-time telemetry into the 32-tier gauntlet, resource scaling trajectories (O(N) proofs), and hardening directives.
| Feature | Sentinel Implementation |
|---|---|
| Real-time Sync | Dynamic fetching from High-Assurance API backend |
| Scaling Proofs | Interactive Area charts showing compute/memory linear scale |
| Audit Access | Direct integration for generating executive technical reports |
| Hardening Directives | Proactive system suggestions (Enclaves, Block Express, Mesh) |
Architecture
graph TB
subgraph Client Layer
A[Client Request] --> B[Load Balancer / ProxyFix]
end
subgraph User Interface
Z[Sentinel Dashboard] --> B
end
subgraph Application Layer
B --> C[Flask App Factory]
C --> D[Security Headers Middleware]
D --> E[Correlation ID + Structured Logging]
E --> F{Route Blueprints}
F --> G[auth_routes.py<br>Login ยท Logout ยท PASETO]
F --> H[transfer_routes.py<br>Transfers ยท Idempotency ยท Outbox]
F --> I[health_routes.py<br>Health ยท Metrics ยท OpenAPI]
F --> J[upload_routes.py<br>CSV Validation ยท Schema]
F --> K[admin_routes.py<br>BOLA-Protected Lookups]
F --> DA[dashboard_routes.py<br>Audit Stats ยท Complexity Matrix]
end
subgraph Data Layer
G --> L[(PostgreSQL<br>Accounts ยท Idempotency ยท Outbox)]
H --> L
K --> L
G --> M[(Redis<br>Rate Limiting ยท PASETO Revocation)]
H --> M
end
subgraph Async Processing
L --> N[Outbox Worker<br>Event Publishing]
N --> O[SQS / Kafka / Email]
end
subgraph Observability & Ops
E --> P[OpenTelemetry<br>Distributed Tracing]
E --> Q[Prometheus + SLOs<br>Metrics & Error Budgets]
E --> R[Loki + Grafana<br>SLO Dashboards]
E --> S[Kubernetes<br>Liveness/Readiness Probes]
end
style C fill:#1a1a2e,stroke:#e94560,color:#fff
style L fill:#0f3460,stroke:#e94560,color:#fff
style M fill:#0f3460,stroke:#e94560,color:#fff
style N fill:#16213e,stroke:#e94560,color:#fff
style Z fill:#0d1527,stroke:#3b82f6,color:#fff
The 32-Tier Testing Strategy
Three phases guarantee correctness, security, and operational resilience:
Phase 1 โ Core Logic & Security (Tiers 1โ12)
| Tier | Category | What It Validates |
|---|---|---|
| 1 | Functional / BVA | Boundary value analysis on all inputs |
| 2 | Security | Timing attacks, SSRF, XSS, BOLA, injection |
| 3 | Resilience | Idempotency keys, replay protection |
| 4 | Compliance | SOC 2, PCI DSS, FDA 21 CFR audit trails |
| 5 | Contract | OpenAPI schema conformance (Schemathesis) |
| 6 | Database | ACID rollbacks, state isolation |
| 7 | CSV Security | Pandera schema + injection sanitization |
| 8 | Authorization | BOLA containment, MCP boundaries |
| 9 | Secrets Mgmt | AWS Secrets Manager (moto) |
| 10 | Vault Integration | HashiCorp Vault key rotation mocking |
| 11 | BOLA Extended | Cross-tenant database isolation |
| 12 | PASETO Integrity | Ed25519 signature verification |
Phase 2 โ Integration & Performance (Tiers 13โ24)
| Tier | Category | What It Validates |
|---|---|---|
| 13 | Outbox Pattern | Transactional event publishing |
| 14 | Integration | CORS, contracts, network seams |
| 15 | Observability | Correlation ID, structured logging |
| 16 | Rate Limiting | IP + user brute-force lockout |
| 17 | Infra Drift | AWS config via moto mocks |
| 18 | Performance | Benchmark regression gates |
| 19 | Concurrency | Double-spend prevention |
| 20 | Dashboard API | Telemetry endpoint response data |
| 21 | Complexity Proof | O(N) linear compute verification |
| 22 | Tracing Prop | OTEL context propagation checks |
| 23 | SLO Budgeting | Error budget exhaustion alerts |
| 24 | Report Delivery | Dynamic SonarQube Compliance Report |
Phase 3 โ Operational Safeguards (Tiers 25โ32)
| Tier | Category | What It Validates |
|---|---|---|
| 25 | DB Guards | Destructive operation protection |
| 26 | Two-Person Rule | CODEOWNERS enforcement |
| 27 | DAST | OWASP ZAP (117 rules scanned) |
| 28 | Rollbacks | Blue/Green canary simulation |
| 29 | Disaster Recovery | Backup integrity, RTO/RPO |
| 30 | Policy-as-Code | OPA/Rego policy enforcement |
| 31 | Infrastructure | Checkov 100% score (13 alerts resolved) |
| 32 | Quality Gates | Complexity Gate (Threshold 15) + Trivy + Mutmut |
Project Structure
high-assurance-api/
โโโ src/ # Application source (100.0% coverage)
โ โโโ main.py # App factory + Blueprint registration
โ โโโ auth.py # PASETO v4, password hashing, user store
โ โโโ config.py # Centralized configuration constants
โ โโโ database.py # SQLAlchemy engine + session factory
โ โโโ models.py # Account, IdempotencyKey, OutboxEvent (Numeric balance)
โ โโโ security.py # HTTP security headers (OWASP)
โ โโโ telemetry.py # OpenTelemetry distributed tracing
โ โโโ csv_validator.py # Pandera CSV validation + injection defense
โ โโโ egress_client.py # SSRF-safe HTTP client
โ โโโ report_generator.py # Dynamic executive technical reporting
โ โโโ worker.py # Transactional Outbox processor
โ โโโ logger.py # Structured JSON logging (structlog)
โ โโโ routes/ # Flask Blueprints
โโโ apps/
โ โโโ compliance-dashboard/ # Next.js 14 Sentinel Dashboard
โโโ tests/ # 316 tests across 32 tiers
โโโ policies/ # OPA Rego policy files
โโโ .github/ # CI/CD (Master Pipeline)
โโโ docs/ # Operational docs, SRE runbooks
โโโ openapi.yaml # OpenAPI 3.0 specification
โโโ PIPELINE.md # ๐ Visual CI/CD Architecture & Gauntlet Logic
โโโ docker-compose.yml # Full stack (API + DB + Redis + Grafana)
โโโ k8s/ # Kubernetes Deployment & Probes
โโโ Dockerfile # Production container (non-root, slim)
โโโ EXPLANATION.md # For recruiters, CTOs, VCs
โโโ hsa # CLI tool for running validation tiers
Quick Start
# Clone and setup
git clone https://github.com/GauravSahu2/high-assurance-api.git
cd high-assurance-api
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt
# Run Inner Loop (Logic + Security + Performance) โ ~30 seconds
hsa -i
# Run Full 32-Tier Gauntlet โ ~3 minutes
hsa -a
# Deploy locally with full stack
docker compose up -d
curl http://localhost:5000/health
The hsa CLI
hsa -i # Inner Loop: 316 tests + 100% coverage + fuzzing + benchmarks
hsa -a # Full Gauntlet: Static scans + DAST + ZAP + performance + Sonar
hsa scan . # Polyglot SAST/SCA/Secrets on any folder
CI/CD Pipeline
9 GitHub Actions workflows run on every push:
| Workflow | Purpose |
|---|---|
ci.yml | Core test suite + 100.0% coverage gate |
high-assurance-pipeline.yml | Full 32-tier gauntlet |
devsecops.yml | Security scan orchestration (Gitleaks, Trivy) |
fda_pipeline.yml | FDA 21 CFR audit bundle generation |
fossa_scan.yml | License compliance scanning |
iac_scanner.yml | Infrastructure-as-Code scanning (Checkov) |
leakix_scan.yml | Secret/leak detection |
gitops.yml | GitOps deployment triggers |
visualization.yml | Test result visualization |
Security Controls
| Control | Implementation |
|---|---|
| Authentication | PASETO v4.public with Ed25519 signatures |
| Timing Resistance | DUMMY_HASH for non-existent users (constant-time bcrypt) |
| Supply Chain Defense | OX Security for Pipeline Bill of Materials (PBOM) |
| SSRF Protection | Egress client blocks all private/metadata IPs |
| Rate Limiting | IP + user-level lockout (5 attempts, 1-hour TTL) |
| BOLA Prevention | Role-based + ownership checks on all data endpoints |
| CSV Injection | Prefix stripping (=, +, -, @, \t, \r) + Pandera schema |
| Security Headers | CSP, HSTS, X-Frame-Options, X-XSS-Protection, Referrer-Policy |
| CORS | Whitelist-only (no wildcards) |
| Audit Trail | Append-only OutboxEvent with timestamps (FDA-grade) |
Compliance Mapping
| Standard | Controls Tested |
|---|---|
| SOC 2 CC7.2โCC7.4 | Security event logging, audit trail completeness |
| PCI DSS 10.1โ10.7 | Card data access logging, failed login tracking |
| FDA 21 CFR ยง11.10 | Immutable timestamps, electronic signatures, audit trails |
| GDPR Art. 25 | Data minimization, consent management, right to erasure |
Best Practices
- PASETO v4.public โ Hard-coded algorithm rigidity (Ed25519) to prevent downgrade attacks
- Complexity Gates (Threshold 15) โ Strictly enforced Cyclomatic and Cognitive complexity
- Numeric(12,2) for monetary values โ prevents IEEE 754 floating-point errors
- Ordered lock acquisition (
sorted([sender, receiver])) โ prevents deadlocks - Transactional Outbox โ avoids dual-write problems without distributed transactions
- Structured JSON logging with correlation IDs โ tracing across services
- Supply Chain Security โ OX Security integrated into CI/CD for PBOM generation
- Policy-as-Code (OPA/Rego) โ security invariants enforced programmatically
- CODEOWNERS โ two-person rule on all critical paths
Contact & License
๐ ยฉ 2026 Gaurav Sahu โ High-Assurance Quality Engineering
This repository is maintained strictly for portfolio demonstration and personal practice purposes.
Proprietary Work: This is not an open-source project. All rights are reserved.
Contact: linkedin.com/in/gauravsahu22 | gauravsahu2203@gmail.com