TC-2026-0618-A
ASSESSMENT
June 18, 2026
AI-Assisted Internal Security Review (Claude Opus 4.8) — Trust Center Surface, 1 Low + 2 Informational
AI-assisted internal security review (Claude Opus 4.8) — not a third-party penetration test. Added alongside the preserved Claude Opus 4.7 (2026-05-19) round; the prior 4.7 record is intact and append-only. This round reviewed the trust.sigmashake.com worker — admin authn, the OTP/download/NDA token flow, rate limiting, reflected-XSS escaping, the email domain gate, secret handling, and CORS/headers — and found 3 findings: 1 Low, 2 Informational; 0 Critical, 0 High, 0 Medium. The Low (TRUST-2026-06-18-01) is a crypto-hygiene observation: the HMAC key derivation truncates a long TRUST_HMAC_KEY to 32 chars and zero-pads a short one (padEnd(32,"0").slice(0,32)); not exploitable alone (sign and verify share the derivation, 32 random chars is still ≥128 bits) but it discards entropy from a long provisioned secret — routed to the operator for a fixed-32-byte SHA-256(secret) derivation, not auto-patched. The two Informational items are honesty/stale-copy items (public report badge/metadata refreshed to this round; the corrected per-row-Ed25519 statement carried forward). Reviewed clean: constant-time admin Bearer compare (fail-closed), HMAC-SHA256 type/time-bound single-use tokens, increment-before-work rate limiting, universal output escaping, deny-by-default domain gate, vault-first never-logged secret handling, and CORS wildcards only on public read-only endpoints. The sigmashake-gov governance audit log is per-row Ed25519 signed (NOT Merkle-chained); Merkle chaining is confined to the sigmashake-compliance evidence pipeline / fleet R2 archival. SOC 2 remains readiness only (observation window 2026-05-18 → 2026-11-17; no CPA firm engaged; earliest Type II report Q1 2027). No external offensive-security firm and no CPA firm has been engaged; a third-party human-led penetration test is a planned operator action, not yet scheduled.
May 19, 2026
SigmaShake Response to npm High-Privilege Token Rotation (Mini Shai-Hulud Precaution)
On May 19, 2026, npm proactively rotated granular access tokens carrying write scope that bypass 2FA on token use, as a precaution against further supply chain attacks in the pattern of the "Mini Shai-Hulud" worm. Within seven minutes of receiving npm's rotation notice, we rotated the affected npm publish credentials held in our Cloudflare Worker secret store and confirmed our publishing automation is operating on the new tokens. We are evaluating npm Trusted Publishing as a follow-on hardening to further reduce reliance on long-lived publish tokens. No customer action is required.
TC-2026-0519-B
ASSESSMENT
May 19, 2026
SOC 2 Type II Q2 Surveillance AI-Assisted Security Review — 17 Findings, Same-Day Remediation (Report v1.2.1)
Completed the Q2 surveillance round of the AI-assisted internal security review (Claude Opus 4.7) across all 27 production services, scoped against OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. The round identified 1 Critical (sigmashake-vibe project/preview IDOR — SSG-2026-043), 4 High (workspace inline-editor symlink escape, fleet pg-d1 schema-name interpolation, vibe deploy per-user rate limit, vibe magic-link atomic consume — SSG-2026-044..047), 4 Medium (vibe deploy error opacity, workspace edit body-size cap, affiliates Amazon ASIN allowlist, compliance staff-auth strict typeof guard — SSG-2026-048..051), and 8 Observation/Informational items. Every Critical, High, and Medium finding was code-level remediated and deployed the same day; the four Observation-tier items (download CDN integrity sidecar, ask prompt-injection framing, vcs RPC body schema, streamcord allowed_mentions escape — SSG-2026-052..055) were closed in a follow-on v1.2.1 close-out. Defense-in-depth additions landed alongside: workspace cloud-worker CORS pinned to a sigmashake.com origin allowlist with Vary: Origin; VS Code extension sanitizes sigmashake.workspace.daemonUrl (loopback or sigmashake.com over https only). The AI-Assisted Internal Security Review Report (v1.2.1) and the SOC 2 Type II Readiness Package (v1.1.0) are downloadable under mutual NDA from the document portal above; the static self-evaluation (bun run sigmashake-compliance/scripts/self-evaluate.ts) passes 27/28 with one non-blocking orphan-policy warning. Cumulative posture: zero Critical/High/Medium/Low items outstanding; only Accepted-Risk design trade-offs and affirmative Observations remain. Next AI-assisted surveillance round targeted for Q3 2026. A third-party human-led pentest engagement has not yet been scheduled; engaging a qualified firm is a planned operator action.
May 13, 2026
GDPR & International Compliance — EU, UK, Switzerland Coverage Layer
Shipped the GDPR control family alongside SOC 2 + ISO 27001: 31 GDPR articles catalogued across Chapters II–V — 25 applicable, with documented applicability rationales for the 6 out-of-scope articles (Art. 8 / 9 / 10 / 22 / 26 / 37); 9 new evidence collectors covering DSRs, the Article 30 Record of Processing Activities, sub-processor freshness, breach-notification SLAs, privacy-notice currency, data-residency attestation, consent register, Transfer Impact Assessments, and the DPIA register; and 11 new policies (privacy policy, customer DPA template, DSR procedure, breach-notification procedure, international-transfer procedure, retention schedule, cookie policy, sub-processor management, DPIA procedure, EU representative analysis, DPO designation, and cryptography policy). Two new public endpoints went live alongside the existing verification API: POST /api/v1/dsr for data-subject-rights intake (rate-limited 5/hr/IP, opaque token in response, status lookup at GET /api/v1/dsr/:token); and GET /api/v1/sub-processors.json for the machine-readable Article 28(2) feed referenced in the customer DPA. UK GDPR + Swiss FADP coverage is inherited via the same control set with IDTA / FADP-adequacy modular addenda available on request. Catalog now covers 167 controls across 3 frameworks (43 SOC 2 + 93 ISO 27001 + 31 GDPR), 68 collectors, 28 policies. Self-evaluation: 27/28 pass with one non-blocking warning.
May 13, 2026
AI-Assisted Internal Security Review — Compliance Worker (Claude Opus 4.7)
Targeted code-level AI-assisted security review of the sigmashake-compliance worker shipped 3 defense-in-depth hardenings: (1) open-redirect in the staff /compliance/login handler — old check accepted backslash sequences some browsers normalise to //host; now rejects backslashes, length-caps the next-URL, re-parses with the URL constructor, and verifies host equality before redirecting. (2) Input shape validation on POST /api/v1/verify — now enforces lowercase-hex regex for content_hash (SHA-256, 64 chars), signature (Ed25519, 128 chars), and a strict kid charset before reaching crypto.subtle. (3) Public sub-processor feed minimisation — stripped notes_md from GET /api/v1/sub-processors.json (could leak vendor SDK versions or internal DPA refs); public feed is now id/name/url/category/data_access only. Reviewed clean: all D1 queries parameterized, staff routes gated by CIDR-allowlist → auth → same-origin → CSP+nonce, Discord webhook host-allowlist, HMAC nonce+TS replay cache, Object Lock 90d on R2.
Apr 30, 2026
Compliance Automation Worker GA & Day-0 Gate Approaching
The sigmashake-compliance Worker is now live at compliance.sigmashake.com, executing 44+ automated evidence collectors on a daily / weekly / monthly / quarterly cadence. Every output is canonicalized, hashed, and Ed25519-signed; daily content_hashes are Merkle-chained into a signed root that is cross-anchored into the public sigmashake-hub transparency log. A native Cloudflare D1 immutable backup pipeline writes hashed weekly snapshots to a dedicated R2 bucket protected by a 90-day non-bypassable Object Lock rule. Customers can verify any signed artefact against the public key at /.well-known/compliance-pubkey or via POST /api/v1/verify. The 6-month SOC 2 Type 2 observation window opens 2026-05-18 and closes 2026-11-17, with a SOC 2-aligned self-assessment publication targeted for 2026-12-31.
Apr 26, 2026
Self-Hosted Identity Provider Replaces Okta Tenant
SigmaShake's internal SSO has been cut over from a hosted Okta tenant to a self-hosted OIDC + SAML 2.0 IdP at sso.sigmashake.com. The new IdP supports OIDC authorization-code + PKCE, refresh-token rotation, RFC 7591 dynamic client registration, RFC 7662 introspection, RFC 7009 revocation, and back-channel logout. SAML 2.0 includes exclusive XML canonicalization, Single Logout, and quarterly signing-key rotation. MFA enrollment is via WebAuthn or TOTP with HIBP breach checks on password set; signing-key age is tracked by a weekly evidence collector. AI-agent self-enrollment uses the OAuth Device Code flow (RFC 8628) on the fleet side. The Okta token-endpoint fallback has been removed from the OIDC callback path.
Apr 22, 2026
SOC 2 Type 1 Self-Eval Complete — Day-0 Design Gap Closed
Every TSC control now has at least one wired-in evidence collector, every collector is bound to a cron batch, and every policy referenced by the controls catalog exists with auditor-credible content (no stub policies remain). The latest expansion added 9 collectors (training-completions, attestation-log, pen-test-report, quality-information-snapshot, internal-communication, control-matrix-snapshot, physical-access-inheritance, asset-disposal-attestation, r2-object-lock-verify), 4 new policies (code-of-conduct, external-communications, processing-integrity, system-description per AICPA TSP §300), and expanded 7 stub policies into full auditor-credible documents. A self-evaluation harness now runs at test, CLI, and runtime (bun run self-eval + GET /compliance/api/self-evaluation) and gates pre-commit. 11/11 static checks pass; 62/62 tests pass.
Apr 18, 2026
AI-Assisted Internal Security Review Published & Document Portal Overhaul
An AI-assisted internal security review report is now available to prospective enterprise customers under NDA. The review was performed by Claude Opus 4.7 (Anthropic) as a code-level security review aligned with OWASP WSTG v4.2, OWASP ASVS v4.0.3 Level 3, and PTES. This is not a third-party human penetration test; engaging a qualified firm is a planned operator action. The review identified 4 Critical and 12 High-severity findings across 12 services and the compiled CLI — every one remediated and verified closed the same day. We also replaced the broken "Request access" placeholders on this page with a real NDA + OTP flow, so every NDA-gated document — Controls Evidence, AI-Assisted Security Review, SOC 2 Readiness, and the full bundle — is downloadable after signing the mutual NDA. The Security Whitepaper is now a public download; no NDA required.
Apr 16, 2026
SIEM Log Forwarding GA & Trust Center Content Refresh
Fleet-side SIEM log forwarding is now generally available: dual-mode stream-and-archive pipeline with Splunk HEC, Cribl HTTP-in, Confluent Cloud Kafka REST, and generic HMAC-signed webhook sinks, plus an offline queue with replay-on-reconnect. Added as a shipped item on the Security Roadmap. We also completed a content-consistency pass across trust.sigmashake.com and security.sigmashake.com — unified responsible-disclosure SLAs (48h ack, 5-day triage, 30/90-day remediation) across every surface and reconciled the published rule count for the TypeScript ruleset (11 rules).
Apr 14, 2026
Compliance Certifications Status Update
Updated compliance certification statuses to reflect our current standing as of April 2026. GDPR and CCPA are now marked as Self-Assessed Compliant, backed by implemented controls: opt-in telemetry, account deletion cascade, subprocessor transparency, DPA availability, and per-org data residency. HIPAA and PCI DSS are marked Not Applicable — SigmaShake does not process PHI (we're a governance tool, not a health data processor) and all cardholder data is handled exclusively by Stripe (PCI-DSS Level 1). ISO/IEC 27001 is on the roadmap following SOC 2 Type II completion. Icons have been modernized with distinct, certification-specific designs and compliance status indicators.
Apr 12, 2026
Business Continuity & Procurement Transparency
We have added a new Business Continuity section to the Trust Center and Controls Evidence Report addressing the top procurement concerns for self-hosted or single-operator vendors: offline-first enforcement (no cloud dependency for the CLI), source availability clause on vendor wind-down, key escrow plan, and SOC 2 Type II timeline. The landing page now includes an Honest Answers section responding directly to common technical objections.
Apr 12, 2026
Enterprise Security Controls — April 2026 Update
We have shipped and documented a significant set of enterprise security controls: Ed25519 bundle signing, per-row signed governance audit log (individually signed Ed25519 per event) and fleet hash-chained event log, SAML/OIDC SSO with interactive provider selector, custom RBAC roles, org IP/CIDR allowlist, service accounts, per-org D1 data residency, tenant isolation guard (WS-21/22), P-256 license key rotation with JWKS endpoint, and a disk-backed fail-open audit queue. All 42 findings from four independent audit rounds (fleet, CLI, MCP, QA) have been closed. The Controls Evidence Report has been updated to reflect these implementations.
Apr 6, 2026
SigmaShake Response to the Axios npm Supply Chain Compromise
SigmaShake Cloud is not impacted by the recently disclosed supply chain attack against the Axios npm package (axios@1.14.1 and axios@0.30.4), in which a compromised maintainer account was used to publish backdoored versions containing a cross-platform remote access trojan (RAT). No action is required by our customers.
Sep 2, 2025
SigmaShake Response to React (CVE-2025-55182) and Next.js (CVE-2025-66478) Vulnerabilities
We have actively patched all our internal services to address the disclosed vulnerabilities in React and Next.js. No customer data was exposed.
Aug 18, 2025
SigmaShake Response to Shai-Hulud 2.0 Supply Chain Attacks
SigmaShake infrastructure and software supply chains were fully audited and verified to not be affected by the Shai-Hulud 2.0 incidents.
No bulletins match that filter.