CI-1T
← Back

Security

Last updated: May 2026

Posture

This site is a research artifact. It has one public POST endpoint, /api/lab, that proxies numeric score arrays to the CI-1T engine. Everything that historically held authentication or financial state (accounts, OAuth, Stripe, PocketBase, admin dashboard) has been removed. The attack surface is small by design.

1. What's running

  • Astro SSR site on Render. Serves static landing/legal pages plus the lab proxy. No database, no persistent disk, no auth provider.
  • CI-1T engine (Rust) on Render. Stateless. Accepts u16 score arrays and returns computed metrics. The engine sits behind an internal API key that the lab proxy supplies on each request, so the engine is not directly exposed to the public.

2. Transport

All traffic between your browser, the site, and the engine is over HTTPS with TLS certificate validation enforced. The internal API key carried by the proxy in the X-API-Key header is server-side only and never reaches the browser.

3. Demo endpoint hardening

  • Path allowlist: /api/lab only forwards to /evaluate, /fleet/evaluate, and /health on the engine. Other engine routes (sessions, admin, MCP) are not reachable through the proxy.
  • Size guard: request bodies are JSON-decoded and rejected if the scores array exceeds 10,000 entries.
  • Per-IP rate limit: 30 requests per minute and 500 per day, per source IP, in process memory. State is lost on every restart and is not persisted.
  • Upstream timeout: requests to the engine carry a 15-second abort signal so a slow upstream can't hang client connections.

4. What we no longer do

The previous SaaS layer is gone. There is no:

  • OAuth login, no PocketBase, no session tokens, no account database.
  • Stripe integration, webhook handler, customer table, or payment flow.
  • API key issuance, ledger, or usage logging.
  • Admin dashboard or superuser surface.
  • Browser-side state beyond what the page itself renders. No cookies set, no local storage written.

If you are auditing for legacy threats (Stripe replay, OAuth account takeover, PocketBase rule misconfiguration, JWT forgery, cross-tenant data access), none of those components exist on this deployment.

5. Source & supply chain

  • JavaScript dependencies are pinned via package.json overrides for rollup and lodash to clear known CVEs from transitive trees. npm audit is clean at the time of the last update.
  • The engine is built from collapseindex/ci1t-api with cargo audit and Clippy gating.
  • No third-party analytics, tracking pixels, ad networks, or telemetry are loaded by the site.

6. Reporting

If you find a security issue affecting the public site or demo endpoint, email ask@collapseindex.org with reproduction steps. There is no formal bounty; serious reports are appreciated and credited if you would like.