FinancialSecurityPlan.md

May 30, 2026 Β· View on GitHub

Hack23 Logo

πŸ’° EU Parliament Monitor β€” Financial Security Plan

πŸ›‘οΈ Cost Analysis and Security Investment Planning for European Parliament Intelligence
πŸ’° Zero Infrastructure Cost β€’ πŸ”’ Maximum Security ROI β€’ ⚑ GitHub-hosted CI/CD + AWS-hosted static site

Owner Version Effective Date Review Cycle

πŸ“‹ Document Owner: CEO | πŸ“„ Version: 2.3 | πŸ“… Last Updated: 2026-05-30 (UTC) | 🏷️ Platform Release: v0.9.26
πŸ”„ Review Cycle: Annual | ⏰ Next Review: 2027-05-30
🏷️ Classification: Public (Open Source European Parliament Intelligence Platform)


πŸ“š Architecture Documentation Map

DocumentFocusDescriptionDocumentation Link
ArchitectureπŸ›οΈ ArchitectureC4 model showing current system structureView Source
Future ArchitectureπŸ›οΈ ArchitectureC4 model showing future system structureView Source
Security ArchitectureπŸ›‘οΈ SecurityCurrent security implementationView Source
Future Security ArchitectureπŸ›‘οΈ SecuritySecurity enhancement roadmapView Source
Threat Model🎯 SecuritySTRIDE threat analysisView Source
Classification🏷️ GovernanceCIA classification & BCPView Source
CRA AssessmentπŸ›‘οΈ ComplianceCyber Resilience ActView Source
Workflowsβš™οΈ DevOpsCI/CD documentationView Source
Business Continuity PlanπŸ”„ ResilienceRecovery planningView Source
Financial Security PlanπŸ’° FinancialCost & security analysisView Source
End-of-Life StrategyπŸ“¦ LifecycleTechnology EOL planningView Source

🎯 Financial Strategy Overview

EU Parliament Monitor (v0.9.26) achieves maximum democratic transparency value at near-zero infrastructure cost through a fully open-source architecture deployed to AWS S3 + CloudFront (per ADR-002) with GitHub-hosted CI/CD, GitHub Copilot-metered AI inference (gh aw), and security tooling. The platform produces 5,231+ HTML articles across 14 languages and 14 article types (breaking, week-ahead, week-in-review, month-ahead, month-in-review, quarter-ahead, quarter-in-review, year-ahead, year-in-review, term-outlook, election-cycle, committee-reports, motions, propositions) with roughly 5,933 automated tests on each PR. This Financial Security Plan demonstrates how strategic use of free-tier, low-cost platform services, and AI-metered workflow minutes keeps total operating cost below $30/yr while maintaining enterprise-grade security posture aligned with Hack23 AB ISMS.

🏷️ Business Impact Classification

Based on Hack23 AB Classification Framework:

Security DimensionLevelFinancial ImpactRationale
πŸ” ConfidentialityPublicNegligibleAll data is publicly available EP open data
πŸ”’ IntegrityModerateLowIncorrect content affects credibility, not finances
⚑ AvailabilityStandardLowStatic site with CDN caching provides inherent resilience

πŸ’° Cost Structure Analysis

πŸ“Š Annual Cost Summary

pie title EU Parliament Monitor Annual Cost Distribution
    "AWS S3 + CloudFront Hosting (~\$5)" : 5
    "GitHub Actions CI/CD" : 0
    "GitHub Repository" : 0
    "Security Scanning (CodeQL)" : 0
    "Dependabot" : 0
    "EP MCP Server (Open Source)" : 0
    "Domain (euparliamentmonitor.com)" : 12
    "Developer Time (Volunteer)" : 0

Textual summary (if chart does not render): Annual costs are dominated by domain registration ($12) and AWS S3+CloudFront hosting ($5). All other components (GitHub Actions, repository, CodeQL, Dependabot, EP MCP Server, volunteer labor) are $0. Total: ~$17/yr.

πŸ“‹ Detailed Cost Breakdown

πŸ’° Cost CategoryπŸ“Š MonthlyπŸ“… AnnualπŸ“‹ Notes
🌐 AWS S3 + CloudFront Hosting<$1<$5Low-traffic static site within AWS free tier; S3 storage + request charges negligible (~$0.02/GB, ~1 GB articles + assets = <$1/mo). CloudFront free tier: 1 TB transfer/mo. ACM certificate free. Costs scale only with significant traffic growth
βš™οΈ GitHub Actions CI/CD$0$0GitHub-hosted ubuntu-latest runners: unlimited for public repos. Typical monthly burn: ~1,000–2,000 min across 10 agentic news workflows + 14 infra workflows
πŸ€– GitHub Copilot Business (AI inference via gh aw)~$19/user~$228/userMetered Copilot minutes power the 2-pass AI-First analysis + article authorship. Engines switchable (Copilot / Claude / Codex) in workflow frontmatter. 1 seat covers maintainer today
πŸ“¦ GitHub Repository$0$0Free for public open-source repositories
πŸ”’ CodeQL SAST Scanning$0$0Free for public repos (GitHub Advanced Security)
πŸ€– Dependabot Security$0$0Free, built into GitHub
πŸ›‘οΈ OpenSSF Scorecard$0$0Free service for open-source projects
πŸ“Š SonarCloud (Planned)$0$0Planned optional integration; not yet configured in CI
πŸ§ͺ Vitest + Playwright + axe-core Testing$0$05,933+ automated tests across 153 files; open-source frameworks
πŸ‡ͺπŸ‡Ί EP MCP Server (european-parliament-mcp-server@1.3.2)$0$0Hack23-maintained open-source data source
🌍 World Bank MCP (worldbank-mcp@1.0.1, optional)$0$0Optional biannual WDI source for economic context OR-gate
πŸ’Ή IMF REST (native IMFMCPClient)$0$0Public SDMX 3.0 endpoint (WEO + FM forecasts +5y); no MCP server required
🌐 Domain Name~$1~$12Annual domain registration (euparliamentmonitor.com)
πŸ‘¨β€πŸ’» Development LaborVolunteer$0Open-source volunteer contributions
πŸ“š DocumentationVolunteer$0Copilot-assisted + agentic workflow documentation generation
πŸ“¦ npm Publishing (provenance + SLSA 3)$0$0Free on npmjs.com with GitHub OIDC-signed attestations
πŸ“Š Total Annual Cost (infra-only)~$1.50/mo~$17/yrAWS hosting (≀ $5) + Domain (~$12)
πŸ“Š Total Annual Cost (with 1 Copilot seat)~$20/mo~$245/yrInfra + Copilot Business seat ($228/yr)

πŸ’΅ Cost Comparison: Static Site vs. Dynamic Architecture

xychart-beta
    title "Annual Infrastructure Cost Comparison (USD)"
    x-axis ["EP Monitor (S3+CloudFront)", "Typical SaaS (AWS)", "Enterprise CMS", "Custom Cloud Platform"]
    y-axis "Annual Cost (USD)" 0 --> 50000
    bar [17, 5000, 25000, 50000]

Textual summary (if chart does not render): Annual infrastructure costs β€” EP Monitor (S3+CloudFront): ~$17 | Typical SaaS (AWS): ~$5,000 | Enterprise CMS: ~$25,000 | Custom Cloud Platform: ~$50,000+

Architecture OptionAnnual CostMaintenance BurdenSecurity Overhead
EU Parliament Monitor (S3+CloudFront)~$17Minimal (automated)Low (platform-managed)
Typical SaaS on AWS~$5,000Medium (EC2, RDS, CloudFront)Medium (IAM, SGs, WAF)
Enterprise CMS~$25,000High (server management)High (patching, configs)
Custom Cloud Platform~$50,000+Very High (full ops team)Very High (full stack)

Key Insight: The static site architecture delivers >99% cost savings compared to equivalent dynamic platforms, while maintaining comparable security posture through GitHub's enterprise-grade infrastructure.


πŸ›‘οΈ Security Investment Analysis

πŸ“Š Security Controls β€” Cost vs. Value

πŸ›‘οΈ Security ControlπŸ’° CostπŸ“Š Value🎯 ROI
GitHub Advanced Security (CodeQL)$0 (free for public repos)SAST scanning, vulnerability detection∞ (zero cost, high value)
Dependabot$0 (built-in)Automated dependency updates, security alerts∞
OpenSSF Scorecard$0 (free service)Supply chain security assessment∞
SonarCloud (Planned)$0 (free for OSS)Code quality, security hotspots (not yet configured in CI)Planned
GitHub Branch Protection$0 (built-in)PR reviews, status checks∞
GitHub Secret Scanning$0 (free for public repos)Leaked credential detection∞
Playwright a11y Testing$0 (open-source)WCAG 2.1 AA compliance verification∞
SLSA Level 3 Attestation$0 (GitHub Actions)Supply chain provenance∞
ESLint Security Plugin$0 (open-source)Code-level security linting∞
SHA-Pinned Actions$0 (best practice)Supply chain attack prevention∞

πŸ“Š Security Investment ROI Summary

quadrantChart
    title Security Control Investment vs. Impact
    x-axis Low Cost --> High Cost
    y-axis Low Security Impact --> High Security Impact
    quadrant-1 High Value
    quadrant-2 Premium
    quadrant-3 Nice to Have
    quadrant-4 Evaluate
    "CodeQL SAST": [0.05, 0.9]
    "Dependabot": [0.05, 0.85]
    "Branch Protection": [0.05, 0.8]
    "Secret Scanning": [0.05, 0.75]
    "OpenSSF Scorecard": [0.05, 0.7]
    "SLSA Attestation": [0.1, 0.8]
    "SonarCloud (Planned)": [0.05, 0.65]
    "ESLint Security": [0.05, 0.6]
    "Playwright A11y": [0.1, 0.5]
    "SHA-Pinned Actions": [0.05, 0.7]

Textual summary (if chart does not render): All security controls are zero-cost (or near-zero) and high impact, placing them in the "High Value" quadrant. Top-impact: CodeQL SAST, Dependabot, Branch Protection, SLSA Attestation. All others (Secret Scanning, OpenSSF Scorecard, SonarCloud [Planned], ESLint Security, Playwright A11y, SHA-Pinned Actions) also fall in the high-value zone.

Result: All security controls fall in the High Value quadrant β€” zero-cost tools with high security impact. This is the optimal outcome enabled by the open-source, AWS-hosted static site architecture.


πŸ“Š Total Cost of Ownership (TCO)

3-Year TCO Projection

YearInfrastructureSecurity ToolingDevelopmentDocumentationTotal
Year 1 (2025-2026)~$17 (domain + AWS S3/CloudFront)$0$0 (volunteer)$0 (Copilot-assisted)~$17
Year 2 (2026-2027)~$17 (domain + AWS S3/CloudFront)$0$0 (volunteer)$0 (Copilot-assisted)~$17
Year 3 (2027-2028)~$17 (domain + AWS S3/CloudFront)$0$0 (volunteer)$0 (Copilot-assisted)~$17
3-Year TCO~$51$0$0$0~$51

Note: Domain costs vary by registrar and TLD ($10–$20/year typical). Domain registration is optional β€” the primary production site is hosted on AWS S3 + CloudFront (estimated at ~$5/year and included in the Infrastructure totals above), with a zero-cost github.io subdomain maintained as a fallback endpoint. Estimates assume current registrar pricing and may fluctuate.

πŸ“ˆ TCO Comparison with Alternative Architectures

Architecture3-Year TCOAnnual Maintenance HoursSecurity Overhead
EU Parliament Monitor (Static)~$51~20h/yr (automated)Low
Equivalent on AWS (EC2+RDS+CF)~$15,000~200h/yrHigh
Equivalent on Vercel Pro~$720~50h/yrMedium
Equivalent on Cloudflare Workers~$180~40h/yrMedium

πŸ”„ Cost Optimization Strategy

Current Cost Optimization Measures

StrategyImplementationAnnual Savings vs. Cloud Alternative
Static Site GenerationPre-render all content at build time~$3,000/yr (no server costs)
CloudFront CDN (Primary) + GitHub Pages (Fallback)ADR-002: AWS S3 + CloudFront for production, GitHub Pages as zero-cost backup CDN~$1,200/yr (no managed PaaS/CDN costs)
GitHub Actions CI/CDFree CI/CD for public repos~$600/yr (no CI/CD platform)
Open-Source SecurityCodeQL, Dependabot, OpenSSF~$2,000/yr (no security platform)
Git-Based BackupNo separate backup infrastructure~$200/yr (no backup service)
Copilot-Assisted DocsAI-generated documentation~$500/yr (no technical writer)

Potential Future Costs (If Migration Required)

ScenarioTriggerEstimated Annual CostProbability
Custom Domain + SSLBrand enhancement$12-50Low
Cloudflare CDNAWS S3/CloudFront extended outage$0-240Very Low
Azure CDN + Blob StorageMigration to Azure ecosystem$120-600Very Low
Monitoring ServiceSLA requirement$0-300Low

πŸ›‘οΈ Quota Safeguards & Budget Alarms

The platform enforces cost bounds at multiple layers to prevent runaway spend from misconfigured agentic workflows, hostile MCP responses, or abusive traffic.

Workflow-Level Safeguards (gh-aw runtime)

SafeguardMechanismBoundPurpose
Workflow timeouttimeout-minutes: 120 hard cap on every agentic workflow≀120 min/runPrevent runaway AI reasoning loops
Max patch size (news)safe-outputs.create-pull-request.max-patch-size: 1024 (KB) default≀1 MB PR diffBound write bloat + review cost
Max patch size (translate)safe-outputs.create-pull-request.max-patch-size: 10240 (KB) in news-translate.md≀10 MB PR diff13-language fan-out requires larger envelope
AWF Squid firewall allowlistEgress proxy restricts outbound HTTP to known hostsClosed-world networkPrevents data exfil + unbounded API spend
Docker sandboxEach agentic step runs in an isolated rootless containerNo host escapeContains supply-chain compromise blast radius
Compile-gate.lock.yml files compiled by gh aw compile --validate with pinned GH_AW_VERSION: v0.77.3Reviewed lock file per workflowPrevents frontmatter drift at runtime
Concurrency limitsPer-workflow concurrency groups in `.github/workflows/$\text{One} \text{active} \text{run} \text{per} \text{type}\text{Blocks} \text{parallel} \text{duplicate} \text{spend}

\text{Infrastructure}-\text{Level} \text{Safeguards} (\text{AWS})

\text{Safeguard}\text{Mechanism}\text{Alarm} \text{Threshold}\text{Response}
\text{CloudWatch} \text{billing} \text{alarm}\text{AWS} \text{account}-\text{level} \text{spend} \text{alarm} \text{on} \text{S3}+\text{CloudFront}$10/\text{month} (2 \times \text{expected})\text{Email} \text{owner}, \text{investigate} \text{traffic} \text{anomaly}
\text{CloudFront} \text{origin} \text{shield}\text{Reduces} \text{S3} \text{GET} \text{fan}-\text{out}β€”\text{Cost} \text{stability} \text{during} \text{traffic} \text{spike}
\text{AWS} \text{Shield} \text{Standard}\text{Free} \text{DDoS} \text{mitigation} \text{at} \text{edge}β€”\text{Protects} \text{CloudFront} \text{budget} \text{against} \text{volumetric} \text{attacks}
\text{S3} \text{bucket} \text{versioning} + \text{lifecycle}\text{Expire} \text{non}-\text{current} \text{versions} \text{after} 30 \text{days}β€”\text{Prevents} \text{storage} \text{cost} \text{growth}
\text{CloudFront} \text{cache} \text{TTL}1 \text{day} \text{for} \text{HTML}, 30 \text{days} \text{for} \text{static} \text{assets}β€”\text{Minimizes} \text{egress} \text{billable} \text{requests}
\text{Invalidation} \text{minimization}$deploy-s3.yml` invalidates only changed pathsβ€”CloudFront invalidation costs are metered beyond 1,000/mo free tier

GitHub-Level Safeguards

SafeguardMechanismResponse
Actions usage email alertsOwner-configured email on quota usageEmail to owner when >75% of private-repo budget used (informational for public repo)
Dependabot cost-free by policyDependabot runs inside GitHub-hosted compute, not meteredContinuous
Copilot seat billing auditMonthly invoice review in GitHub billing portalAdjust seats if team grows
Branch protection + required reviewPrevents unreviewed workflow edits that could inflate costSupply-chain + budget control

Financial Incident Playbook

IncidentDetectionImmediate ActionCost Cap
Workflow runaway (infinite loop)GitHub Actions timeout120-min hard cap aborts job≀$0 on public repo
DDoS against CloudFrontCloudWatch alarm + Shield metricsShield Standard absorbs; enable per-IP rate-limit via CloudFront functionAbsorbed by Shield; egress capped by 1 TB free tier
Hostile MCP response (oversized)validate-analysis-completeness.js gate + max-patch-sizePR rejected pre-commit$0 write cost
Copilot quota exhaustionCopilot billing pageSwitch engine to Claude/Codex in workflow frontmatter; or human-author fallbackDegrades to manual mode, no overage
Unexpected AWS spend spikeBilling alarmInvestigate CloudFront logs; block abusive prefix via CloudFront functionCapped by alarm + Shield

πŸ›‘οΈ Financial Risk Management

Financial Risks

🚨 RiskπŸ“Š ProbabilityπŸ’₯ ImpactπŸ”§ Mitigation
AWS S3/CloudFront pricing changeVery LowLow–MediumPortable static files; manual GitHub Pages failover (see BCPPlan.md Β§Phase 2) or migrate to any CDN
GitHub Actions minute limitsLowLowOptimize workflows; local build fallback
Domain name cost increaseVery LowNegligibleAnnual registration; alternative registrars
EP MCP Server becomes paidVery LowMediumOpen-source; fork and self-host if needed
SonarCloud pricing change for OSSLowLowAlternative: CodeQL + ESLint (both free)
Contributor availability declineMediumLowCopilot-assisted development; minimal maintenance needs

Financial Impact of Security Incidents

Incident TypeDirect CostIndirect CostMitigation Cost
Supply Chain Attack$0 (no customer data)Reputational$0 (automated rollback)
Primary Hosting Outage (AWS S3 + CloudFront)$0Content unavailability$0 (manual GitHub Pages failover per BCPPlan.md Β§Phase 2, or local build to alternative CDN)
Dependency Vulnerability$0Potential exploitation window$0 (Dependabot auto-fix)
CI/CD Pipeline Breach$0Compromised deployment$0 (SHA-pinned actions)

Key Insight: The static site architecture with no user data, no databases, and no backend eliminates almost all financial risk from security incidents. The maximum impact of any incident is temporary content unavailability.


πŸ“Š Security Budget Allocation

Current Security Spending: $0/year

All security controls are provided through free-tier services:

pie title Security Budget Allocation (All Free)
    "SAST (CodeQL)" : 1
    "SCA (Dependabot)" : 1
    "Supply Chain (SLSA)" : 1
    "Code Quality (SonarCloud β€” Planned)" : 1
    "A11y Testing (Playwright)" : 1
    "Secret Scanning" : 1
    "Branch Protection" : 1
    "ESLint Security" : 1

Security Investment Recommendations

PriorityRecommendationCostExpected Benefit
🟒 ContinueAll current free-tier tools$0Maintain current security posture
🟒 ContinueDependabot auto-merge for patches$0Faster vulnerability remediation
🟑 ConsiderGitHub Enterprise (if team grows)$0-$252/yrAdvanced security features
🟑 ConsiderExternal penetration test$0-$500Independent security validation
πŸ”΅ FutureBug bounty program$0-$1,000Community security testing

πŸŽ–οΈ Framework Compliance β€” Financial Controls

FrameworkRequirementFinancial ControlStatus
ISO 27001:2022 A.5.12Information classificationPublic data = minimal financial exposureβœ…
ISO 27001:2022 A.5.23Cloud service securityAWS S3 + CloudFront = managed infrastructure (ADR-002)βœ…
ISO 27001:2022 A.8.9Configuration managementAll config in version control ($0 cost)βœ…
NIST CSF PR.DS-01Data-at-rest protectionStatic HTML, no sensitive dataβœ…
NIST CSF PR.DS-02Data-in-transit protectionHTTPS enforced by CloudFront + ACM certificateβœ…
CIS Controls 1.1Enterprise asset inventoryGitHub repository is the inventoryβœ…
CIS Controls 16.1Security awareness programOpen-source transparency = public reviewβœ…
NIS2 Art.21(2)(e)Supply chain securityDependabot + SLSA attestation (free)βœ…
EU CRA Annex ISecurity throughout lifecycleAutomated CI/CD security pipeline (free)βœ…
GDPR Art.32Appropriate technical measuresNo personal data processing = minimal measures neededβœ…

πŸ“… Financial Planning Timeline

2025-2026    ~\$17/yr           β€” Domain (~\$12) + AWS S3 + CloudFront hosting (~\$5), all infra security tools free
2026-2027    ~\$17 + \$228/yr    β€” Same infra + 1 GitHub Copilot Business seat (~\$228) for `gh aw` AI inference (v0.9.x platform)
2027-2028    ~\$17 + \$228/yr    β€” Continued operations on domain + AWS hosting baseline; Node.js 27 migration (no cost impact)
2028-2029    ~\$17-55 + seats   β€” Potential custom domain SSL, enhanced CDN, or second Copilot seat if growth warrants
2029-2030    ~\$17-255 + seats  β€” Evaluate enterprise features if contributor team grows

πŸ“‹ Maintenance Cost Schedule

πŸ“… ActivityπŸ”„ FrequencyπŸ’° CostπŸ“‹ Notes
Domain + AWS S3/CloudFront hosting renewalAnnual~$17Primary recurring infrastructure cost (domain ~$12 + AWS hosting ~$5)
GitHub Copilot Business seat (AI inference via gh aw)Monthly~$19Single maintainer seat powers 10 agentic news workflows + translate fan-out
Agentic workflow minutes budgetMonthly$0 (free tier)Breaking ~30 min/run, weekly/monthly ~60–120 min/run, translate ~60–90 min/run; total ~1,000–2,000 min/month on ubuntu-latest (public-repo free tier)
Dependency updatesDaily (automated)$0Dependabot handles automatically
Security patchingAs needed$0Automated via CI/CD pipeline
Documentation updatesMonthly$0Copilot-assisted generation
Test suite maintenancePer change$05,933+ tests (Vitest unit/integration + Playwright+axe-core E2E) across 153 test files, maintained in CI
Node.js version upgradeAnnual$0Developer time only (volunteer)
BCP/EOL plan reviewSemi-annual/Annual$0Internal review process

πŸ” ISMS Policies

πŸ›οΈ Project Documentation


πŸ“‹ Document Control:
βœ… Approved by: James Pether SΓΆrling, CEO
πŸ“€ Distribution: Public
🏷️ Classification: Confidentiality: Public Integrity: Moderate Availability: Standard
🎯 Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls