Reviewer Evidence
Monday Review Evidence Map
This page is the reviewer-facing summary for security, privacy, retention, and runtime proof. It shows what is already backed by published docs, code, and tests, and calls out the few submission items that still require production capture.
Scope: Security, privacy, and runtime proof
Status: Reviewer-ready with open production captures
Last updated: 2026-06-11
Open Submission Items
Production capture still needed
These items should stay visibly separate from repository-backed evidence so reviewers can see the outstanding capture work immediately.
- 5.10 Capture `monday-app-association.json` on the production API domain with a non-empty `clientID`.
- 5.16 Capture the production HTTPS response for `curl -i https://api.<prod-domain>/healthz`.
- 5.17 Attach a production `curl -i` showing security headers.
- 5.18 Preserve the production `infra/Caddyfile` capture as TLS proof.
- 5.19 Run the production domain through Palo Alto URL Filtering and attach the result.
Reviewer Summary
- Public disclosures are already published in the privacy, retention, and subprocessor docs.
- Code-backed claims cover encryption, session validation, ownership checks, validation, and route protection.
- Runtime and external scan items are intentionally listed as capture targets rather than implied as already complete.
Direct Reviewer Links
Checklist Coverage
Claim matrix by topic
Short labels keep the matrix readable while preserving checklist item numbers.
Auth and Access Control
| Item | Evidence target | Evidence label | Status |
|---|---|---|---|
| 5.8 | ORM route checks in `backend/app/api/routes/*.py` | Code reference | Verified |
| 5.9 | Pydantic validation, UUID typing, min-length checks, and preload filter cap | Code reference | Verified |
| 5.15 | Session-token validation and decode path | Code reference | Verified |
| 5.21 | Route signatures with `Depends(get_current_user_tier)` | Code reference | Verified |
Privacy, Scope, and Retention
| Item | Evidence target | Evidence label | Status |
|---|---|---|---|
| 5.2 | `SECURITY_PLAN.md` secret-management strategy and runtime secret handling notes | Policy note | Verified |
| 5.4 / 5.13 / 5.14 | `privacy.html` data inventory, retention posture, and cookies or tracking language | Public policy | Verified |
| 5.5 | Scope justification text in the Markdown evidence pack | Source notes | Verified |
| 5.6 | `retention.html` cleanup policy, task path, and verification notes | Public policy | Verified |
| 5.20 | `subprocessors.html` inventory rows | Public disclosure | Verified |
Encryption and Data Protection
| Item | Evidence target | Evidence label | Status |
|---|---|---|---|
| 5.3 / 5.7 | Fernet encrypt or decrypt path and encrypted `monday_tokens.access_token` column | Code reference | Verified |
| 5.11 | Uninstall deletion test and lifecycle handler | Integration test | Verified |
Runtime, Domain, and External Checks
| Item | Evidence target | Evidence label | Status |
|---|---|---|---|
| 5.10 | `/monday-app-association.json` from `infra/Caddyfile` | Runtime proof | Open capture |
| 5.16 | `curl -i https://api.<prod-domain>/healthz` | Runtime proof | Open capture |
| 5.17 | Security headers in `backend/app/core/security_headers.py` and `backend/main.py` | Code + curl target | Open capture |
| 5.18 | TLS config in `infra/Caddyfile` | Code reference | Open capture |
| 5.19 | Palo Alto URL Filtering result on the production domain | External scan | Open capture |
Runtime Commands
make runtime-gate API_URL=https://api.<prod-domain> APP_ORIGIN=https://app.<prod-domain>curl -i https://api.<prod-domain>/healthzcurl -i https://api.<prod-domain>/monday-app-association.jsoncurl -i -X OPTIONS 'https://api-dev.overwhelmingtech.com/jobs/prefetch_capabilities'with the documented CORS headers
Submission Notes
- Keep production-domain evidence separate from dev-domain validation screenshots.
- Use the Markdown evidence pack for exact anchors and caption notes, not as the primary reviewer surface.
- Contact: info@overwhelmingtech.com