Petanque Life API

🔒 T1. Data Isolation & Multi-Tenancy

✓ Every tenant has complete data isolation at the database query level
✓ All CRUD routes are automatically filtered per tenant
✓ Scope hierarchy: system > partner > parent_tenant > tenant
✓ No cross-tenant operations without explicit system scope
ℹ Multi-tenant: enabled
ℹ Registered capabilities: 899

🔐 T2. Encryption

✓ In transit: TLS 1.2+ on all connections
✓ Application-layer: Credentials encrypted with AES-256-GCM, tenant-specific keys via PBKDF2
✓ JWT signed with ES512 (ECDSA P-521)
✓ ETag integrity: SHA-256

🔑 T3. Authentication

✓ SMS/Email OTP
✓ TOTP / 2FA

🛡 T4. Authorization

✓ Capability-based access control — deny by default (fail-closed)
✓ 899 registered capabilities across 13 resources
✓ Role hierarchy with capability inheritance
✓ Field-level access control for sensitive data
✓ All decisions enforced server-side — frontend controls UX only

📑 T5. Audit Trail

✓ Every change logged: who, what, when, from where (IP), old/new values
✓ Full snapshot saved on deletion — data can be reconstructed
✓ Anomaly detection for M2M clients
✓ Audit log exportable via API with filtering and pagination
ℹ Retention: 90 days

👥 T6. GDPR & Privacy

✓ GDPR module: enabled
✓ Consent Management API — tracks and respects user choices
✓ Right to erasure: automatic depersonalisation
✓ Data export: users can export all their data
✓ Retention policies: automatic cleanup via batch job
✓ Legal hold support: prevents deletion during proceedings
✓ Every field tagged with GDPR classification

🌎 T7. Data Residency

✓ Regions: EU (Azure North Europe, Ireland)
ℹ Transfer policy: All data stored within EU/EES. No cross-border transfers outside EU without adequate safeguards per GDPR Chapter V.

Subprocessor	Purpose	Region
Microsoft Azure	Cloud infrastructure (Cosmos DB, Container Apps, Static Web Apps)	North Europe (Ireland)

🏗 T8. Infrastructure Security

✓ Azure Container Apps (Consumption plan)
✓ Azure Cosmos DB (MongoDB 7.0 API), Free Tier
✓ Redis (Azure Cache for Redis, planned)
✓ Azure Front Door (planned)
✓ AES-256 (Azure platform-managed keys)
✓ TLS 1.2+ enforced on all connections
✓ Microsoft Azure — North Europe region
✓ Bicep templates under infrastructure/ in monorepo

💾 T9. Backup & Disaster Recovery

✓ Continuous backup (Azure Cosmos DB)
✓ 30 days point-in-time restore
✓ Quarterly restore verification
✓ Azure Cosmos DB continuous backup with PITR

🚨 T10. Incident Response

✓ security@petanque.life
✓ Critical: 4h acknowledgement, 24h mitigation
✓ PagerDuty/Opsgenie alert routing, defined escalation path from on-call to security lead

💻 T11. Secure Development

✓ Dependency scanning: pip-audit / npm audit in CI/CD
✓ Static analysis: mypy strict mode, ruff linting
✓ Security assessment: regular internal assessments
✓ Code review: all changes via pull request
✓ No secrets in code: SecretStr in Pydantic prevents accidental exposure

✅ T12. Availability

✓ Health endpoints: /health and /ready
✓ Rate limiting: enabled — backend: In-memory (development)
✓ Graceful degradation via feature flags
✓ ETag concurrency control (optimistic locking)

📜 T13. Open Standards & Compliance

Standards Implemented

✓ RFC 6749 — OAuth 2.0 Authorization Framework
✓ RFC 7523 — JWT Profile for OAuth 2.0 Client Authentication
✓ RFC 9449 — DPoP (Demonstrating Proof of Possession)
✓ RFC 7638 — JSON Web Key Thumbprint
✓ RFC 6238 — TOTP (Time-Based One-Time Password)
✓ RFC 9116 — security.txt
✓ RFC 7232 — HTTP Conditional Requests (ETag)
✓ RFC 7807 — Problem Details for HTTP APIs
ℹ OWASP ASVS Level 2 — self-assessed, partial

Certifications

Certification	Status	Issuer	Valid Until
Azure SOC 2 Type II	Inherited from Azure platform	Microsoft Azure	Continuous
Azure ISO 27001	Inherited from Azure platform	Microsoft Azure	Continuous
GDPR Compliance	Implemented	Self-assessed	Ongoing

Penetration Testing

ℹ Provider: TBD
ℹ Last: N/A
ℹ Next: Q2 2027 (planned)
ℹ Scope: Full API surface, authentication flows, tenant isolation

📂 T14. Data Portability & No Lock-in

✓ Full data export: 13 resources available via paginated REST API
✓ Standard formats: JSON, CSV export for reports
✓ No proprietary protocols — all integrations use HTTP/REST + OAuth 2.0
✓ Open database: MongoDB — exportable via standard tools
✓ Audit log export via API
✓ SBOM available: CycloneDX format at GET /security/sbom

🔗 T15. Enterprise Integrations

✓ Webhook signature verification (HMAC-SHA256)
✓ Idempotency keys — duplicate delivery is safe
ℹ API versioning: URL-versioned (/v1/), backwards-compatible changes within major version, 12-month deprecation notice for breaking changes
ℹ M2M: not enabled

📈 T16. Live Security Metrics

899

Capabilities

13

Resources

2

Auth Providers

11/14

Features Enabled

36%

Secrets Configured

In-memory

Rate Limit Backend

Authentication Providers

SMS/Email OTP TOTP / 2FA

Security Features

Audit Log Soft Delete ETag Concurrency Multi-Tenant GDPR CAPTCHA TOTP / 2FA DPoP Rate Limiting Security Headers Webhooks M2M Authentication Cascade Operations Metrics / Prometheus

Status Page

https://status.petanque.life

🔗 Machine-Readable Endpoints

Endpoint	Description	Auth	Format
`GET /security/json`	Full security posture as structured JSON	Required	JSON
`GET /security/sbom`	Software Bill of Materials	Required	CycloneDX JSON
`GET /security/questionnaire`	Pre-filled security questionnaire	Required	JSON (CAIQ-inspired)
`GET /.well-known/security.txt`	Security contact info (RFC 9116)	Public	Plain text

1. System Diagram

Components

✓ API Layer: FastAPI + Beanie (MongoDB ODM) — all business logic, auth, and data access
✓ Frontend Apps: Nuxt 3 PWAs (admin, end-user, portal) — communicate exclusively via REST API
✓ Mobile App: Flutter (warden) — offline-capable, syncs via REST API
✓ Database: MongoDB — all access through Beanie ODM, no raw queries
✓ Batch Service: Background job processing — scheduled and triggered via API
✓ External Services: Payment, SMS/email, identity — all via authenticated APIs

Attack Surfaces

ℹ REST API endpoints — primary surface, protected by auth + capability checks + rate limiting
ℹ OAuth2 callbacks — state parameter validation + redirect URI whitelist
ℹ Webhook receivers — signature verification (HMAC-SHA256)
ℹ Frontend apps — XSS protection via Vue template escaping + CSP headers
ℹ Mobile app — secure storage, offline data encryption

Actors

ℹ End-users: app/portal, authenticated via OTP/OAuth2/BankID
ℹ Administrators: admin app, elevated capabilities required
ℹ M2M clients: OAuth 2.0 Client Credentials (RFC 7523) + optional DPoP
ℹ Developers/operations: CI/CD and monitoring only, no direct DB access

2. Attack Surfaces

Surface	Technology	Authentication	Authorization
REST API	FastAPI (Python)	JWT Bearer (ES512)	Capability-based (deny-by-default)
OAuth2 Callbacks	FastAPI	State parameter + PKCE	Redirect URI whitelist
Webhook Receiver	FastAPI	HMAC-SHA256 signature	Source IP + idempotency
Admin Panel	Nuxt 3 (Vue)	JWT Bearer	Admin capabilities required
End-User App	Nuxt 3 (Vue PWA)	JWT Bearer	Tenant-scoped capabilities
Portal	Nuxt 3 (Vue)	JWT Bearer	Tenant-scoped capabilities
Mobile (Warden)	Flutter/Dart	JWT Bearer	Capability-based + offline queue
M2M API	FastAPI	private_key_jwt + optional DPoP	Scoped capabilities + IP whitelist

✓ All API endpoints enforce authentication (deny-by-default)
✓ Admin API requires elevated capabilities and rate limiting
ℹ Mobile app follows OWASP Mobile Security guidelines

3. Access Control Quality

✓ Endpoint-level: capability-based via requires() dependency — centralised, not scattered
✓ Data-level: tenant/partner/org_node scope filtering via build_scope_filter()
✓ Server-side enforcement — frontend never makes security decisions
✓ Deny-by-default: missing capability = access denied (fail-closed)
✓ MFA for administrative actions (TOTP/2FA)
✓ 899 capabilities registered, enforced at startup
✓ Access control centralised via requires() — single enforcement point

4. Password Storage

✓ Password hashing: bcrypt via passlib (adaptive cost factor)
✓ Primary auth is passwordless (OTP) — reduces password-related risk
✓ SecretStr prevents passwords from appearing in logs or API responses
ℹ No deprecated auth mechanisms — legacy API key auth removed

5. Cryptographic & Hash Algorithms

Usage	Algorithm
JWT Signing	`ES512`
ETag Generation	`SHA-256`
OTP Verification	`SHA-256 + hmac.compare_digest`
TOTP (2FA)	`HMAC-SHA1 (RFC 6238)`
Signed URLs	`HMAC-SHA256`
Cursor Pagination	`HMAC-SHA256`
Password Hashing	`bcrypt (passlib)`
Credential Store	`AES-256-GCM + PBKDF2`
DPoP Proofs	`ES256/384/512, RS256, EdDSA`

✓ No MD5 or DES/3DES anywhere in the codebase
✓ TLS handled by reverse proxy / cloud provider — minimum TLS 1.2
✓ All key lengths meet current NIST recommendations

6. Application Misuse

✓ ORM: Beanie ODM — no raw queries, NoSQL injection protection via operator whitelist
✓ Frontend: Nuxt/Vue template escaping prevents XSS
✓ Backend validation always enforced — frontend validation is UX only
✓ Rate limiting per endpoint group
✓ Notification on email change
✓ Notification on security changes (2FA, password)
✓ Financial data: validation and business rules enforced server-side
✓ NoSQL injection: operator whitelist in query filtering

7. Software Dependencies

Direct dependencies (from pyproject.toml):

Package	Version
authlib	1.7.2
beanie	2.1.0
croniter	6.2.2
cryptography	48.0.0
fastapi	0.136.1
httpx	0.28.1
jinja2	3.1.6
motor	3.7.1
opentelemetry-api	1.41.1
opentelemetry-sdk	1.41.1
passlib	1.7.4
prometheus-client	0.25.0
pydantic-settings	2.14.0
pydantic	2.13.4
pyjwt	2.12.1
python-multipart	0.0.27
slowapi	0.1.9
structlog	25.5.0
uvicorn	0.46.0
coverage	unknown

✓ Full SBOM available at GET /security/sbom (CycloneDX format)
✓ Dependency scanning: pip-audit / npm audit in CI/CD pipeline
✓ Regular review of unused components
✓ No embedded binaries — all dependencies via package managers

8. File Upload Validation

✓ File type validation: magic bytes + content-type sniffing
✓ Filenames generated by system (content-addressed SHA-256) — no user-supplied names
✓ No execute permissions on uploaded files
✓ Path traversal protection — all paths validated and normalised
ℹ Antivirus: delegated to cloud provider file verification (when configured)

9. Secrets in Source Code

✓ No secrets in source code — all via environment variables
✓ SecretStr in Pydantic settings prevents accidental logging or serialisation
✓ Default secrets rejected in non-development environments (startup validation)
✓ No obfuscation as security measure — proper secret management instead

10. Secret Management

8 / 22 secrets configured (36%)

✓ Storage: environment variables or secrets manager
✓ Confidentiality: SecretStr prevents exposure in logs, responses, and this page
✓ Rotation: documented procedure per secret type
✓ Least privilege: unique secrets per environment, managed identities where possible
✓ Individual secret names are never exposed — only aggregate health is shown

11. Phishing Prevention

✓ Clickable links limited in automated messages
✓ Attachments displayed in-app, not sent via email
✓ Rate limiting on messaging functions
✓ Input validation on all message content
✓ Max daily SMS: 10000, Max daily email: 50000
✓ Disposable email blocking

12. Testing & Quality Assurance

✓ Security awareness: regular internal assessments
✓ Post-launch monitoring: structured logging + alerting
✓ Static analysis: mypy strict + ruff in CI
✓ Automated testing: pytest with security-focused test cases
✓ Code review required for all changes

13. Secure Deployment

✓ CI/CD pipeline with restricted access
✓ Infrastructure as Code: Terraform modules
✓ Deployment via automation — never from developer machines
✓ Container images scanned for vulnerabilities
✓ Self-managed services: kept updated and hardened

14. Infrastructure Permissions

✓ No direct database access for external systems — all access via API
✓ Least privilege: separate database users for migration vs runtime
✓ Managed identities — no passwords for cloud services
✓ IAM roles for all cloud resources
✓ No shared storage keys — RBAC for all storage access

15. Host & Network Security Basics

✓ Host security: managed by cloud provider (Azure / ISO 27001 data centres)
✓ Network segmentation: VNet/VPC with NSG/firewall rules
✓ DNS: DDoS protection via Cloudflare
✓ Infrastructure as Code: Terraform — no manual configuration
✓ No default configurations in production — validated at startup

16. Security Logging

✓ All mutations logged via audit trail
✓ Auth events: login, logout, failed attempts, 2FA changes
✓ Access control denials logged
✓ Centralised logging: structlog + cloud monitoring
✓ Retention: 90 days (configurable per category)
✓ Request metadata: ID, user, IP, method, path — full traceability
✓ Security events tracked centrally — not only locally