DevPilot v0.4 — Security compliance, on-prem binary, 26 products orchestrated. Join waitlist →
Home / Security

Enterprise security, built in

8 sprints, 69 tasks, 39 modules. SOC2, ISO 27001, DPDPA compliance — not bolted on, architected from day one.

SECURITY CAMPAIGN

8 sprints. 69 tasks. All done.

A systematic security campaign executed across 8 focused sprints, each targeting a distinct compliance domain.

Sprint Tasks Focus Area Status
SEC-QW-001 8/8 Quick Wins: security headers, NTP sync, structured logs, privacy controls, secret management, IR playbook DONE
SEC-AC-001 11/11 Access Control: auth middleware, JWT validation, RBAC, session management, API key rotation, password policies, audit trail DONE
SEC-AL-001 8/8 Audit Logging: audit trait, 6 per-product audit tables, retention policy, cryptographic integrity chain DONE
SEC-DP-001 8/8 Data Protection: data classification, field-level masking, retention engine, encryption at rest and in transit DONE
SEC-DPDPA-001 8/8 DPDPA Compliance: consent management, data subject rights, privacy impact assessments, breach notification DONE
SEC-IR-001 8/8 Incident Response: 6 detection rules, CERT-In reporting, severity matrix, automated containment procedures DONE
SEC-CICD-001 8/8 CI/CD Security: SAST scanning, dependency audit, container scanning, deployment gates with security checks DONE
SEC-MOD-001 10/10 Modular Catalog: 140 security controls, 43 framework mappings, 5 evidence collectors, assessment engine, 26 implementations seeded DONE
SEC-QW-001
100%
SEC-AC-001
100%
SEC-AL-001
100%
SEC-DP-001
100%
SEC-DPDPA-001
100%
SEC-IR-001
100%
SEC-CICD-001
100%
SEC-MOD-001
100%
COMPLIANCE FRAMEWORKS

Built for real audits

Not checkbox security. Every framework maps to live controls with evidence collectors and automated assessments.

SOC2 Type II

Access control with RBAC and JWT validation. Immutable audit logging with cryptographic integrity chains. Encryption at rest and in transit for all sensitive data.

Trust Services Criteria

ISO 27001

Modular control catalog with 140 security controls mapped to Annex A. 5 automated evidence collectors generate audit-ready artifacts on demand.

140 Controls Mapped

DPDPA / CERT-In

India-specific compliance: consent management with granular purpose tracking, data subject rights automation, PIA templates, and CERT-In 6-hour breach reporting.

India-First
39 MODULES

Security across every layer

Eight domains, each with purpose-built Rust modules. Not wrappers. Not configs. Real security infrastructure.

Quick Wins

  • Security headers middleware
  • NTP-synced timestamps
  • Structured audit logs
8 tasks

Access Control

  • JWT + RBAC middleware
  • Session management
  • API key rotation
11 tasks

Audit Logging

  • Auditable trait per entity
  • 6 per-product audit tables
  • Cryptographic integrity chain
8 tasks

Data Protection

  • Data classification engine
  • Field-level masking
  • Encryption at rest
8 tasks

DPDPA

  • Consent management
  • Data subject rights
  • Breach notification
8 tasks

Incident Response

  • 6 detection rules
  • CERT-In reporting
  • Severity matrix
8 tasks

CI/CD Security

  • SAST + dependency scan
  • Container scanning
  • Deploy gate checks
8 tasks

Modular Catalog

  • 140 controls cataloged
  • 43 framework mappings
  • 5 evidence collectors
10 tasks
CRASH-PROOF GATEWAY

Gateway that never panics

A single NULL column or missing aggregate must never bring down the WebSocket server. Defense in depth at every layer.

Systematic null safety

Every gateway handler follows four hard rules: safe row access with try_get(), explicit SQL casts on aggregates, Result-based error propagation, and sanitized client-facing errors.

The gateway standard (GOLDEN-030) mandates integration tests covering empty tables, NULL values, and valid data for every handler.

  • All row.get() calls replaced with safe alternatives
  • COALESCE + explicit ::int8 / ::float8 casts
  • Error messages never expose table names or SQL to clients
  • catch_unwind safety net at the dispatch level
UNSAFE — Panics on NULL 
// Crashes the entire gateway
let avg: f64 =
  row.get("avg_score");

let total =
  COUNT(*); // NUMERIC type
SAFE — Handles NULL gracefully 
// Returns 0.0 on NULL
let avg: f64 =
  row.try_get("avg_score")
    .unwrap_or_default();

COALESCE(AVG(score),0)::float8
VERIFICATION PIPELINE

Three gates, zero shortcuts

Every change passes through spec review, automated batch verification, and deployment gates before reaching production.

AVIS-004 Verification Pipeline

Spec Review

Feature specifications validated against security requirements before implementation begins. Task descriptions include threat model references.

Gate 1

AVIS-004 Batch Gate

Inter-batch verification runs cargo check, flutter analyze, and security linting after every agent wave. Build commands banned from individual tasks.

Gate 2

Deploy Gate

SAST scanning, dependency audit, container scanning, and test campaign pass/fail gate run before any deployment to sandbox or production.

Gate 3
BY THE NUMBERS

Security at scale

0
Security Modules
0
Tasks Completed
0
Controls Cataloged
0
Framework Mappings
0
Sprints (All Done)
0
DB Migrations
BUGS FOUND & FIXED

64 bugs found. 64 bugs fixed. Zero shipped to prod.

Every vulnerability discovered during the security campaign was resolved before deployment. Here are six of the most critical.

CRITICAL

XSS in admin panel

CSP headers added across all routes. Input sanitization enforced at the gateway layer with strict content-type validation.

FIXED
HIGH

API key exposed in logs

Log redaction pipeline intercepts all structured output. Secret masking with regex patterns across 26 known secret formats.

FIXED
CRITICAL

SQL injection in search

Parameterized queries enforced across all 370 gateway handlers. Zero string interpolation in SQL. Compile-time query validation via sqlx.

FIXED
HIGH

Session fixation

JWT rotation on every login event. Session invalidation on password change. Token expiry enforced with server-side validation.

FIXED
MEDIUM

Missing CORS origin check

Strict origin whitelist with per-product configuration. Preflight validation on all non-simple requests. Wildcard origins banned.

FIXED
MEDIUM

Stale admin credentials

API key rotation policy enforced at 90 days. Automated alerts 14 days before expiry. Revoked keys immediately invalidated.

FIXED
0
known vulnerabilities in production
AI SAFETY

Agentic AI with guardrails. Always.

Every AI agent runs through a multi-gate verification pipeline. Agents propose, humans approve.

Agent Dispatched
Lint Gate
BLOCK
Build Gate
BLOCK
Test Gate
BLOCK
Human Review
BLOCK
Deploy Gate
BLOCK

Context Provenance

Every agent dispatch tracked end-to-end: input hash, execution trace, output hash, verification result. 1,266 context transactions logged with cryptographic integrity.

Token Budget Limits

500-token soft limit per persistent context injection. Automatic trimming when threshold exceeded. No unbounded AI calls — every interaction budgeted and tracked.

Lint & Block

Build commands, sleep-poll loops, and oversized tasks auto-blocked before dispatch. 8 regex patterns enforce zero tolerance at the orchestrator level. Violations never reach an agent.

Human Gates

Spec review, deploy approval, and quality score above 60 required before any production change. Agents propose, humans approve. No autonomous deployment.

ROADMAP

Security is a journey, not a destination.

A continuous investment in hardening, auditing, and certifying the platform.

Q1 2026
✓ 8 security sprints completed
69 tasks, 39 modules, 7 migrations. Full security campaign across access control, audit logging, data protection, DPDPA, incident response, and CI/CD.
Q2 2026
Penetration testing
OWASP Top 10 automated scan plus manual pentest of all public-facing endpoints and WebSocket gateway.
Q2 2026
SOC 2 Type I preparation
Policy documentation, evidence collection automation, and pre-audit readiness assessment with GRC tooling.
Q3 2026
ISO 27001 certification
Formal ISMS implementation with 140 controls mapped. Stage 1 and Stage 2 audit with accredited body.
Q3 2026
Third-party security audit
Independent code audit of Rust core, gateway handlers, and cryptographic implementations by an external firm.
Q4 2026
Bug bounty program launch
Public responsible disclosure program with tiered rewards. Coordinated through security.txt and dedicated reporting channel.
DATA SECURITY

Your data. Your servers. Your rules.

No cloud lock-in. No telemetry. DevPilot runs entirely on your infrastructure.

On-Prem Binary

24MB Rust binary. No cloud dependency. No container runtime required. Runs on your infrastructure with zero external calls.

Append-Only Audit

Every state change logged permanently. Cryptographic integrity chain prevents tampering. Full history preserved — no deletions, no overwrites.

Encryption at Rest

AES-256 for sensitive fields. Argon2id for password hashing. JWT with HS256 for session tokens. Industry-standard cryptographic primitives throughout.

No telemetry. No phone-home. No data leaves your network.

Security-first by default

Every product built with DevPilot inherits enterprise-grade security infrastructure. No extra configuration. No bolt-on modules.

Get Early Access Explore Platform