Security and Compliance

RFC 6238 TOTP in pure PHP — no third-party dependencies. QR code enrolment, 8 one-time recovery codes (SHA-256 hashed), and a mandatory step-2 verification gate on each login.

Fine-grained per-permission control (AssociationSecurity) across nine account types. Every capability — create, edit, approve, export, manage — is individually assignable per role per organisation.

CIDR-range allowlists per organisation. Logins from non-whitelisted addresses are blocked and redirected to a dedicated restricted-access page. Configurable per organisation without affecting others.

Automated account creation is blocked when the same IP submits more than 10 signup attempts in 60 minutes. Disposable email domains (30+ providers) are rejected at signup. Always active, no configuration required.

Audit log IP addresses anonymised after 30 days and deleted after 90 days. PII stored separately from login credentials. Open Badge recipient identities hashed with SHA-256 — email never exposed in public URLs.

Every request logged with IP, browser, device type, and event type. GeoIP enrichment and bot detection applied. Every AI field write logged with previous value, new value, model, and timestamp — enabling rollback at field level.

CSRF tokens on all forms. Parameterised SQL (prepared statements) throughout — no string-built queries. Opaque public references — no sequential ID enumeration in URLs. Session management with secure cookie handling.

PHPStan runs at level 5 in the pre-deployment gate — blocks on undefined variables and type errors before any code reaches production. Code cannot be deployed if it fails static analysis.