π° EU Parliament Monitor β Financial Security Plan
π‘οΈ Cost Analysis and Security Investment Planning for European Parliament Intelligence
π° Zero Infrastructure Cost β’ π Maximum Security ROI β’ β‘ GitHub-hosted CI/CD + AWS-hosted static site
π Document Owner: CEO | π Version: 2.3 | π
Last Updated: 2026-05-30 (UTC) | π·οΈ Platform Release: v0.9.26
π Review Cycle: Annual | β° Next Review: 2027-05-30
π·οΈ Classification: Public (Open Source European Parliament Intelligence Platform)
EU Parliament Monitor (v0.9.26) achieves maximum democratic transparency value at near-zero infrastructure cost through a fully open-source architecture deployed to AWS S3 + CloudFront (per ADR-002) with GitHub-hosted CI/CD, GitHub Copilot-metered AI inference (gh aw), and security tooling. The platform produces 5,231+ HTML articles across 14 languages and 14 article types (breaking, week-ahead, week-in-review, month-ahead, month-in-review, quarter-ahead, quarter-in-review, year-ahead, year-in-review, term-outlook, election-cycle, committee-reports, motions, propositions) with roughly 5,933 automated tests on each PR. This Financial Security Plan demonstrates how strategic use of free-tier, low-cost platform services, and AI-metered workflow minutes keeps total operating cost below $30/yr while maintaining enterprise-grade security posture aligned with Hack23 AB ISMS.
Based on Hack23 AB Classification Framework:
| Security Dimension | Level | Financial Impact | Rationale |
|---|
| π Confidentiality | Public | Negligible | All data is publicly available EP open data |
| π Integrity | Moderate | Low | Incorrect content affects credibility, not finances |
| β‘ Availability | Standard | Low | Static site with CDN caching provides inherent resilience |
pie title EU Parliament Monitor Annual Cost Distribution
"AWS S3 + CloudFront Hosting (~\$5)" : 5
"GitHub Actions CI/CD" : 0
"GitHub Repository" : 0
"Security Scanning (CodeQL)" : 0
"Dependabot" : 0
"EP MCP Server (Open Source)" : 0
"Domain (euparliamentmonitor.com)" : 12
"Developer Time (Volunteer)" : 0
Textual summary (if chart does not render): Annual costs are dominated by domain registration ($12) and AWS S3+CloudFront hosting ($5). All other components (GitHub Actions, repository, CodeQL, Dependabot, EP MCP Server, volunteer labor) are $0. Total: ~$17/yr.
| π° Cost Category | π Monthly | π
Annual | π Notes |
|---|
| π AWS S3 + CloudFront Hosting | <$1 | <$5 | Low-traffic static site within AWS free tier; S3 storage + request charges negligible (~$0.02/GB, ~1 GB articles + assets = <$1/mo). CloudFront free tier: 1 TB transfer/mo. ACM certificate free. Costs scale only with significant traffic growth |
| βοΈ GitHub Actions CI/CD | $0 | $0 | GitHub-hosted ubuntu-latest runners: unlimited for public repos. Typical monthly burn: ~1,000β2,000 min across 10 agentic news workflows + 14 infra workflows |
π€ GitHub Copilot Business (AI inference via gh aw) | ~$19/user | ~$228/user | Metered Copilot minutes power the 2-pass AI-First analysis + article authorship. Engines switchable (Copilot / Claude / Codex) in workflow frontmatter. 1 seat covers maintainer today |
| π¦ GitHub Repository | $0 | $0 | Free for public open-source repositories |
| π CodeQL SAST Scanning | $0 | $0 | Free for public repos (GitHub Advanced Security) |
| π€ Dependabot Security | $0 | $0 | Free, built into GitHub |
| π‘οΈ OpenSSF Scorecard | $0 | $0 | Free service for open-source projects |
| π SonarCloud (Planned) | $0 | $0 | Planned optional integration; not yet configured in CI |
| π§ͺ Vitest + Playwright + axe-core Testing | $0 | $0 | 5,933+ automated tests across 153 files; open-source frameworks |
πͺπΊ EP MCP Server (european-parliament-mcp-server@1.3.2) | $0 | $0 | Hack23-maintained open-source data source |
π World Bank MCP (worldbank-mcp@1.0.1, optional) | $0 | $0 | Optional biannual WDI source for economic context OR-gate |
πΉ IMF REST (native IMFMCPClient) | $0 | $0 | Public SDMX 3.0 endpoint (WEO + FM forecasts +5y); no MCP server required |
| π Domain Name | ~$1 | ~$12 | Annual domain registration (euparliamentmonitor.com) |
| π¨βπ» Development Labor | Volunteer | $0 | Open-source volunteer contributions |
| π Documentation | Volunteer | $0 | Copilot-assisted + agentic workflow documentation generation |
| π¦ npm Publishing (provenance + SLSA 3) | $0 | $0 | Free on npmjs.com with GitHub OIDC-signed attestations |
| | | |
| π Total Annual Cost (infra-only) | ~$1.50/mo | ~$17/yr | AWS hosting (β€ $5) + Domain (~$12) |
| π Total Annual Cost (with 1 Copilot seat) | ~$20/mo | ~$245/yr | Infra + Copilot Business seat ($228/yr) |
xychart-beta
title "Annual Infrastructure Cost Comparison (USD)"
x-axis ["EP Monitor (S3+CloudFront)", "Typical SaaS (AWS)", "Enterprise CMS", "Custom Cloud Platform"]
y-axis "Annual Cost (USD)" 0 --> 50000
bar [17, 5000, 25000, 50000]
Textual summary (if chart does not render): Annual infrastructure costs β EP Monitor (S3+CloudFront): ~$17 | Typical SaaS (AWS): ~$5,000 | Enterprise CMS: ~$25,000 | Custom Cloud Platform: ~$50,000+
| Architecture Option | Annual Cost | Maintenance Burden | Security Overhead |
|---|
| EU Parliament Monitor (S3+CloudFront) | ~$17 | Minimal (automated) | Low (platform-managed) |
| Typical SaaS on AWS | ~$5,000 | Medium (EC2, RDS, CloudFront) | Medium (IAM, SGs, WAF) |
| Enterprise CMS | ~$25,000 | High (server management) | High (patching, configs) |
| Custom Cloud Platform | ~$50,000+ | Very High (full ops team) | Very High (full stack) |
Key Insight: The static site architecture delivers >99% cost savings compared to equivalent dynamic platforms, while maintaining comparable security posture through GitHub's enterprise-grade infrastructure.
| π‘οΈ Security Control | π° Cost | π Value | π― ROI |
|---|
| GitHub Advanced Security (CodeQL) | $0 (free for public repos) | SAST scanning, vulnerability detection | β (zero cost, high value) |
| Dependabot | $0 (built-in) | Automated dependency updates, security alerts | β |
| OpenSSF Scorecard | $0 (free service) | Supply chain security assessment | β |
| SonarCloud (Planned) | $0 (free for OSS) | Code quality, security hotspots (not yet configured in CI) | Planned |
| GitHub Branch Protection | $0 (built-in) | PR reviews, status checks | β |
| GitHub Secret Scanning | $0 (free for public repos) | Leaked credential detection | β |
| Playwright a11y Testing | $0 (open-source) | WCAG 2.1 AA compliance verification | β |
| SLSA Level 3 Attestation | $0 (GitHub Actions) | Supply chain provenance | β |
| ESLint Security Plugin | $0 (open-source) | Code-level security linting | β |
| SHA-Pinned Actions | $0 (best practice) | Supply chain attack prevention | β |
quadrantChart
title Security Control Investment vs. Impact
x-axis Low Cost --> High Cost
y-axis Low Security Impact --> High Security Impact
quadrant-1 High Value
quadrant-2 Premium
quadrant-3 Nice to Have
quadrant-4 Evaluate
"CodeQL SAST": [0.05, 0.9]
"Dependabot": [0.05, 0.85]
"Branch Protection": [0.05, 0.8]
"Secret Scanning": [0.05, 0.75]
"OpenSSF Scorecard": [0.05, 0.7]
"SLSA Attestation": [0.1, 0.8]
"SonarCloud (Planned)": [0.05, 0.65]
"ESLint Security": [0.05, 0.6]
"Playwright A11y": [0.1, 0.5]
"SHA-Pinned Actions": [0.05, 0.7]
Textual summary (if chart does not render): All security controls are zero-cost (or near-zero) and high impact, placing them in the "High Value" quadrant. Top-impact: CodeQL SAST, Dependabot, Branch Protection, SLSA Attestation. All others (Secret Scanning, OpenSSF Scorecard, SonarCloud [Planned], ESLint Security, Playwright A11y, SHA-Pinned Actions) also fall in the high-value zone.
Result: All security controls fall in the High Value quadrant β zero-cost tools with high security impact. This is the optimal outcome enabled by the open-source, AWS-hosted static site architecture.
| Year | Infrastructure | Security Tooling | Development | Documentation | Total |
|---|
| Year 1 (2025-2026) | ~$17 (domain + AWS S3/CloudFront) | $0 | $0 (volunteer) | $0 (Copilot-assisted) | ~$17 |
| Year 2 (2026-2027) | ~$17 (domain + AWS S3/CloudFront) | $0 | $0 (volunteer) | $0 (Copilot-assisted) | ~$17 |
| Year 3 (2027-2028) | ~$17 (domain + AWS S3/CloudFront) | $0 | $0 (volunteer) | $0 (Copilot-assisted) | ~$17 |
| 3-Year TCO | ~$51 | $0 | $0 | $0 | ~$51 |
Note: Domain costs vary by registrar and TLD ($10β$20/year typical). Domain registration is optional β the primary production site is hosted on AWS S3 + CloudFront (estimated at ~$5/year and included in the Infrastructure totals above), with a zero-cost github.io subdomain maintained as a fallback endpoint. Estimates assume current registrar pricing and may fluctuate.
| Architecture | 3-Year TCO | Annual Maintenance Hours | Security Overhead |
|---|
| EU Parliament Monitor (Static) | ~$51 | ~20h/yr (automated) | Low |
| Equivalent on AWS (EC2+RDS+CF) | ~$15,000 | ~200h/yr | High |
| Equivalent on Vercel Pro | ~$720 | ~50h/yr | Medium |
| Equivalent on Cloudflare Workers | ~$180 | ~40h/yr | Medium |
| Strategy | Implementation | Annual Savings vs. Cloud Alternative |
|---|
| Static Site Generation | Pre-render all content at build time | ~$3,000/yr (no server costs) |
| CloudFront CDN (Primary) + GitHub Pages (Fallback) | ADR-002: AWS S3 + CloudFront for production, GitHub Pages as zero-cost backup CDN | ~$1,200/yr (no managed PaaS/CDN costs) |
| GitHub Actions CI/CD | Free CI/CD for public repos | ~$600/yr (no CI/CD platform) |
| Open-Source Security | CodeQL, Dependabot, OpenSSF | ~$2,000/yr (no security platform) |
| Git-Based Backup | No separate backup infrastructure | ~$200/yr (no backup service) |
| Copilot-Assisted Docs | AI-generated documentation | ~$500/yr (no technical writer) |
| Scenario | Trigger | Estimated Annual Cost | Probability |
|---|
| Custom Domain + SSL | Brand enhancement | $12-50 | Low |
| Cloudflare CDN | AWS S3/CloudFront extended outage | $0-240 | Very Low |
| Azure CDN + Blob Storage | Migration to Azure ecosystem | $120-600 | Very Low |
| Monitoring Service | SLA requirement | $0-300 | Low |
The platform enforces cost bounds at multiple layers to prevent runaway spend from misconfigured agentic workflows, hostile MCP responses, or abusive traffic.
| Safeguard | Mechanism | Bound | Purpose |
|---|
| Workflow timeout | timeout-minutes: 120 hard cap on every agentic workflow | β€120 min/run | Prevent runaway AI reasoning loops |
| Max patch size (news) | safe-outputs.create-pull-request.max-patch-size: 1024 (KB) default | β€1 MB PR diff | Bound write bloat + review cost |
| Max patch size (translate) | safe-outputs.create-pull-request.max-patch-size: 10240 (KB) in news-translate.md | β€10 MB PR diff | 13-language fan-out requires larger envelope |
| AWF Squid firewall allowlist | Egress proxy restricts outbound HTTP to known hosts | Closed-world network | Prevents data exfil + unbounded API spend |
| Docker sandbox | Each agentic step runs in an isolated rootless container | No host escape | Contains supply-chain compromise blast radius |
| Compile-gate | .lock.yml files compiled by gh aw compile --validate with pinned GH_AW_VERSION: v0.77.3 | Reviewed lock file per workflow | Prevents frontmatter drift at runtime |
| Concurrency limits | Per-workflow concurrency groups in `.github/workflows/$ | \text{One} \text{active} \text{run} \text{per} \text{type} | \text{Blocks} \text{parallel} \text{duplicate} \text{spend} |
| \text{Safeguard} | \text{Mechanism} | \text{Alarm} \text{Threshold} | \text{Response} |
|---|
| \text{CloudWatch} \text{billing} \text{alarm} | \text{AWS} \text{account}-\text{level} \text{spend} \text{alarm} \text{on} \text{S3}+\text{CloudFront} | $10/\text{month} (2 \times \text{expected}) | \text{Email} \text{owner}, \text{investigate} \text{traffic} \text{anomaly} |
| \text{CloudFront} \text{origin} \text{shield} | \text{Reduces} \text{S3} \text{GET} \text{fan}-\text{out} | β | \text{Cost} \text{stability} \text{during} \text{traffic} \text{spike} |
| \text{AWS} \text{Shield} \text{Standard} | \text{Free} \text{DDoS} \text{mitigation} \text{at} \text{edge} | β | \text{Protects} \text{CloudFront} \text{budget} \text{against} \text{volumetric} \text{attacks} |
| \text{S3} \text{bucket} \text{versioning} + \text{lifecycle} | \text{Expire} \text{non}-\text{current} \text{versions} \text{after} 30 \text{days} | β | \text{Prevents} \text{storage} \text{cost} \text{growth} |
| \text{CloudFront} \text{cache} \text{TTL} | 1 \text{day} \text{for} \text{HTML}, 30 \text{days} \text{for} \text{static} \text{assets} | β | \text{Minimizes} \text{egress} \text{billable} \text{requests} |
| \text{Invalidation} \text{minimization} | $deploy-s3.yml` invalidates only changed paths | β | CloudFront invalidation costs are metered beyond 1,000/mo free tier |
| Safeguard | Mechanism | Response |
|---|
| Actions usage email alerts | Owner-configured email on quota usage | Email to owner when >75% of private-repo budget used (informational for public repo) |
| Dependabot cost-free by policy | Dependabot runs inside GitHub-hosted compute, not metered | Continuous |
| Copilot seat billing audit | Monthly invoice review in GitHub billing portal | Adjust seats if team grows |
| Branch protection + required review | Prevents unreviewed workflow edits that could inflate cost | Supply-chain + budget control |
| Incident | Detection | Immediate Action | Cost Cap |
|---|
| Workflow runaway (infinite loop) | GitHub Actions timeout | 120-min hard cap aborts job | β€$0 on public repo |
| DDoS against CloudFront | CloudWatch alarm + Shield metrics | Shield Standard absorbs; enable per-IP rate-limit via CloudFront function | Absorbed by Shield; egress capped by 1 TB free tier |
| Hostile MCP response (oversized) | validate-analysis-completeness.js gate + max-patch-size | PR rejected pre-commit | $0 write cost |
| Copilot quota exhaustion | Copilot billing page | Switch engine to Claude/Codex in workflow frontmatter; or human-author fallback | Degrades to manual mode, no overage |
| Unexpected AWS spend spike | Billing alarm | Investigate CloudFront logs; block abusive prefix via CloudFront function | Capped by alarm + Shield |
| π¨ Risk | π Probability | π₯ Impact | π§ Mitigation |
|---|
| AWS S3/CloudFront pricing change | Very Low | LowβMedium | Portable static files; manual GitHub Pages failover (see BCPPlan.md Β§Phase 2) or migrate to any CDN |
| GitHub Actions minute limits | Low | Low | Optimize workflows; local build fallback |
| Domain name cost increase | Very Low | Negligible | Annual registration; alternative registrars |
| EP MCP Server becomes paid | Very Low | Medium | Open-source; fork and self-host if needed |
| SonarCloud pricing change for OSS | Low | Low | Alternative: CodeQL + ESLint (both free) |
| Contributor availability decline | Medium | Low | Copilot-assisted development; minimal maintenance needs |
| Incident Type | Direct Cost | Indirect Cost | Mitigation Cost |
|---|
| Supply Chain Attack | $0 (no customer data) | Reputational | $0 (automated rollback) |
| Primary Hosting Outage (AWS S3 + CloudFront) | $0 | Content unavailability | $0 (manual GitHub Pages failover per BCPPlan.md Β§Phase 2, or local build to alternative CDN) |
| Dependency Vulnerability | $0 | Potential exploitation window | $0 (Dependabot auto-fix) |
| CI/CD Pipeline Breach | $0 | Compromised deployment | $0 (SHA-pinned actions) |
Key Insight: The static site architecture with no user data, no databases, and no backend eliminates almost all financial risk from security incidents. The maximum impact of any incident is temporary content unavailability.
All security controls are provided through free-tier services:
pie title Security Budget Allocation (All Free)
"SAST (CodeQL)" : 1
"SCA (Dependabot)" : 1
"Supply Chain (SLSA)" : 1
"Code Quality (SonarCloud β Planned)" : 1
"A11y Testing (Playwright)" : 1
"Secret Scanning" : 1
"Branch Protection" : 1
"ESLint Security" : 1
| Priority | Recommendation | Cost | Expected Benefit |
|---|
| π’ Continue | All current free-tier tools | $0 | Maintain current security posture |
| π’ Continue | Dependabot auto-merge for patches | $0 | Faster vulnerability remediation |
| π‘ Consider | GitHub Enterprise (if team grows) | $0-$252/yr | Advanced security features |
| π‘ Consider | External penetration test | $0-$500 | Independent security validation |
| π΅ Future | Bug bounty program | $0-$1,000 | Community security testing |
| Framework | Requirement | Financial Control | Status |
|---|
| ISO 27001:2022 A.5.12 | Information classification | Public data = minimal financial exposure | β
|
| ISO 27001:2022 A.5.23 | Cloud service security | AWS S3 + CloudFront = managed infrastructure (ADR-002) | β
|
| ISO 27001:2022 A.8.9 | Configuration management | All config in version control ($0 cost) | β
|
| NIST CSF PR.DS-01 | Data-at-rest protection | Static HTML, no sensitive data | β
|
| NIST CSF PR.DS-02 | Data-in-transit protection | HTTPS enforced by CloudFront + ACM certificate | β
|
| CIS Controls 1.1 | Enterprise asset inventory | GitHub repository is the inventory | β
|
| CIS Controls 16.1 | Security awareness program | Open-source transparency = public review | β
|
| NIS2 Art.21(2)(e) | Supply chain security | Dependabot + SLSA attestation (free) | β
|
| EU CRA Annex I | Security throughout lifecycle | Automated CI/CD security pipeline (free) | β
|
| GDPR Art.32 | Appropriate technical measures | No personal data processing = minimal measures needed | β
|
2025-2026 ~\$17/yr β Domain (~\$12) + AWS S3 + CloudFront hosting (~\$5), all infra security tools free
2026-2027 ~\$17 + \$228/yr β Same infra + 1 GitHub Copilot Business seat (~\$228) for `gh aw` AI inference (v0.9.x platform)
2027-2028 ~\$17 + \$228/yr β Continued operations on domain + AWS hosting baseline; Node.js 27 migration (no cost impact)
2028-2029 ~\$17-55 + seats β Potential custom domain SSL, enhanced CDN, or second Copilot seat if growth warrants
2029-2030 ~\$17-255 + seats β Evaluate enterprise features if contributor team grows
| π
Activity | π Frequency | π° Cost | π Notes |
|---|
| Domain + AWS S3/CloudFront hosting renewal | Annual | ~$17 | Primary recurring infrastructure cost (domain ~$12 + AWS hosting ~$5) |
GitHub Copilot Business seat (AI inference via gh aw) | Monthly | ~$19 | Single maintainer seat powers 10 agentic news workflows + translate fan-out |
| Agentic workflow minutes budget | Monthly | $0 (free tier) | Breaking ~30 min/run, weekly/monthly ~60β120 min/run, translate ~60β90 min/run; total ~1,000β2,000 min/month on ubuntu-latest (public-repo free tier) |
| Dependency updates | Daily (automated) | $0 | Dependabot handles automatically |
| Security patching | As needed | $0 | Automated via CI/CD pipeline |
| Documentation updates | Monthly | $0 | Copilot-assisted generation |
| Test suite maintenance | Per change | $0 | 5,933+ tests (Vitest unit/integration + Playwright+axe-core E2E) across 153 test files, maintained in CI |
| Node.js version upgrade | Annual | $0 | Developer time only (volunteer) |
| BCP/EOL plan review | Semi-annual/Annual | $0 | Internal review process |
π Document Control:
β
Approved by: James Pether SΓΆrling, CEO
π€ Distribution: Public
π·οΈ Classification:

π― Framework Compliance:
