Implemented controls
SHA-256 digest registration, Ed25519 signed receipts in current evidence flows, HTTP-only cookies, Helmet security headers, per-organization ownership fields, offline verifier packages, and support for hash-only custody mode.
Security architecture
DocGovernance records digests, events, signed receipts, and evidence packages. Uploaded documents, AI prompts, webhook payloads, brand assets, and custom-domain inputs are treated as untrusted data.
SHA-256 digest registration, Ed25519 signed receipts in current evidence flows, HTTP-only cookies, Helmet security headers, per-organization ownership fields, offline verifier packages, and support for hash-only custody mode.
Verification confirms bytes, digests, signatures, event continuity, and package integrity when those checks are present. It does not prove factual truth, legal admissibility, or external timestamp availability.
The repository still contains file-backed development signing providers for existing flows. Production deployments should move to a managed key provider and fail closed when insecure providers are selected.
Security reports should go to the configured security contact in security.txt. Do not include secrets, private customer records, or raw document contents in reports.