INSTITUTIONAL SECURITY BRIEF

Security Brief

Comprehensive infrastructure security documentation for institutional due diligence. Auto-generated from the current system state.

Brief Contents

Authentication Architecture

JWT-based entity resolution against Supabase Auth
Body-trusted identity eliminated across all endpoints
Server-side entity lookup from institutional_entities table
+2 more in PDF

Webhook Validation Model

HMAC-SHA256 signature verification on all inbound webhooks
X-Webhook-Signature header with hex-encoded digest
X-Webhook-Timestamp header with 5-minute drift window
+3 more in PDF

Database State Enforcement

Deterministic state machine enforced at PostgreSQL trigger level
Valid transitions: pending → under_internal_review → escrow_initiated → funded
Cancellation: pending or under_internal_review → cancelled (terminal)
+2 more in PDF

Referential Integrity & Capital Guards

FK constraint: allocation_requests.entity_id → institutional_entities(id) ON DELETE RESTRICT
$50M cap per allocation request (CHECK constraint)
$100K minimum per allocation (CHECK constraint)
+2 more in PDF

Audit Immutability

system_audit_logs table: INSERT/SELECT only
PostgreSQL trigger blocks UPDATE and DELETE operations
Unique idempotency_key prevents duplicate log entries
+2 more in PDF

Infrastructure & Secrets Policy

All secrets stored in environment variables (Netlify/Cloudflare)
No hardcoded tokens, keys, or credentials in source code
HSTS with preload, CSP, X-Frame-Options DENY at CDN edge
+3 more in PDF

Document Properties

ClassificationConfidential — Institutional Distribution
FormatPDF (A4 Portrait)
Infrastructure Version1.4.0
Security Controls32 documented
Auto-GeneratedYes — from current system state
Last Updated2026-04-08

OPTKAS INSTITUTIONAL DOCUMENTATION

System IntegrityRisk Heatmap