Xpoose CyberSec — Documentation
Expose. Harden. Train. Defend.
Operator and customer documentation for the Xpoose platform. Production live at xpoose-cybersec-web.vercel.app.
Start Here
Operations — viewed on GitHub
Bootstrap
Initial environment setup — accounts, secrets, first deploy.
ops/BOOTSTRAP.md
Infrastructure
What is deployed where — Vercel, Neon, Clerk, Stripe, observability stack.
ops/INFRASTRUCTURE.md
CI / CD Pipeline
Build, test, and deployment pipeline reference.
ops/CI-CD.md
Environment Setup
Local dev environment — env vars, dependencies, seed data.
ops/ENVIRONMENT-SETUP.md
Success Metrics
KPIs and acceptance criteria for the platform.
ops/SUCCESS-METRICS.md
Architecture — viewed on GitHub
Architecture Overview
System architecture, boundaries, and component responsibilities.
architecture/ARCHITECTURE.md
Technical Spec
Implementation blueprint — engineering-ready contracts and conventions.
technical/TECHNICAL-SPEC.md
Database Schema
Drizzle schema overview, table boundaries, and RLS posture.
database/SCHEMA.md
API Spec
Route handler contracts, error shapes, middleware composition.
api/API-SPEC.md
Architecture Decisions — viewed on GitHub
ADR-013 — Rate-Limit Fail Mode
Tier-aware fallback when Upstash is unavailable.
architecture/decisions/ADR-013-rate-limit-fail-mode.md
ADR-014 — Audit HMAC Seed Rotation
Append-only audit chain with rotating seed material.
architecture/decisions/ADR-014-audit-hmac-seed-rotation.md
ADR-015 — Device CA Custody
step-ca custody, mTLS issuance, and device JWT CRL handling.
architecture/decisions/ADR-015-device-ca-custody.md
ADR-016 — PreVeil Key Custody
Key custody model for the CUI enclave.
architecture/decisions/ADR-016-preveil-key-custody.md
ADR-017 — Cosign Quorum
Quorum policy for OTA release signing.
architecture/decisions/ADR-017-cosign-quorum.md
ADR-018 — Impersonation Split Custody
Split-custody admin impersonation with shadow session projection.
architecture/decisions/ADR-018-impersonation-split-custody.md
ADR-019 — Wave C Security Primitives
Wave C security primitive scope and rationale.
architecture/decisions/ADR-019-wave-c-security-primitives.md
Security & Compliance — viewed on GitHub
Security Overview
Security posture, primitives, and disclosure path.
security/SECURITY.md
Threat Model
Adversaries, attack surfaces, and mitigations.
security/THREAT-MODEL.md
Auth Flows
Clerk session lifecycle, organization roles, impersonation paths.
security/AUTH-FLOWS.md
Compliance Mapping
CMMC L2, NIST 800-171 rev 3, SOC 2, DFARS controls mapped to primitives.
security/COMPLIANCE-MAPPING.md
Critical Gate Resolutions
Resolved blocking issues from the security review gates.
security/CRITICAL-GATE-RESOLUTIONS.md
Product & Specs — viewed on GitHub
Master PRD
Top-level product requirements document for the platform.
specs/MASTER_PRD.md
Features Catalog
Full feature inventory — F01 through F36.
specs/FEATURES.md
Offer Architecture
Pricing tiers, packaging, and value architecture.
specs/OFFER_ARCHITECTURE.md
Non-Functional Requirements
Performance, availability, and operational targets.
specs/NFRS.md
Feature Breakdown
Implementation breakdown across all feature PRDs.
implementation/FEATURE-BREAKDOWN.md
Design & Brand — viewed on GitHub
Brand Inspiration
Brand voice reference and visual influences.
design/INSPIRATION.md
Design System
Token system, components, and theming.
design/DESIGN-SYSTEM.md
WCAG 2.2 AA Audit
Accessibility audit results and remediation.
design/WCAG-AUDIT.md
Voice & Tone
Operator-direct, craft-respecting, earned warmth.
ux/VOICE-AND-TONE.md
Flows & Journeys — viewed on GitHub
Flow Tree
Structural screen inventory and transitions.
flows/FLOW-TREE.md
Traceability Matrix
PRD requirements mapped to flows, screens, and tests.
flows/TRACEABILITY-MATRIX.md
User Journeys
End-to-end journeys for each persona.
journeys/USER-JOURNEYS.md
State Spec
Full state catalog, recovery logic, and accessibility behavior.
states/STATE-SPEC.md