Trust Center.

Per-release package versions, licenses, and registry SHAs are fetched from PyPI and GitHub at build time — no stale fallback. Contractor registration (CAGE / UEI, SAM active) is published as plain fact.

/receipts →

The same data in a structured, machine-readable manifest under an immutable schema version (cds-attestation-v1).

/manifest.json →

Every section and page carries the immutable deployment commit SHA and build timestamp. A production build fails closed if the commit SHA is absent — the site does not ship an unverifiable build.

see any section footer →

Local-first by design: the core products run offline and user data never leaves the machine. This site makes no third-party runtime requests — no analytics, no trackers, no chat widgets, no CDNs beyond the edge.

security policy →

A published security policy and disclosure contact.

/.well-known/security.txt →

Per-release CycloneDX SBOM with every dependency declared by version, license, and provenance, included in the evidence package. Planned; not yet published.

Signed release tags and a build attestation tying source commit → build environment → artifact → deployed site into one cryptographically closed chain. In progress; not yet closed end-to-end. Python packages are currently published via Twine, not Trusted Publishing.

External technical review or customer validation, distinct from self-issued QA. Not yet published — internal QA receipts are not a substitute.