{"id":51229796,"url":"https://github.com/kenithphilip/fedpy","last_synced_at":"2026-06-28T15:01:59.852Z","repository":{"id":360894500,"uuid":"1251941469","full_name":"kenithphilip/FedPy","owner":"kenithphilip","description":"Read-only, evidence-grade automation for FedRAMP 20x \u0026 Rev5: a TypeScript collector that captures AWS/GCP/Kubernetes config evidence for all 63 KSIs (223 requirements), benchmarks against NIST 800-53 at Low/Moderate/High, and signs it (Ed25519 + OSCAL) — plus a local multi-user tracker over the FRMR catalog.","archived":false,"fork":false,"pushed_at":"2026-06-18T08:53:14.000Z","size":7921,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-18T10:26:03.563Z","etag":null,"topics":["aws","cloud-security","compliance","compliance-as-code","continuous-monitoring","evidence-collection","fedramp","fedramp-20x","gcp","grc","ksi","kubernetes","nist-800-53","oscal","security-automation","typescript"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kenithphilip.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-28T03:35:11.000Z","updated_at":"2026-06-18T08:53:19.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/kenithphilip/FedPy","commit_stats":null,"previous_names":["kenithphilip/fedpy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/kenithphilip/FedPy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kenithphilip%2FFedPy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kenithphilip%2FFedPy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kenithphilip%2FFedPy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kenithphilip%2FFedPy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kenithphilip","download_url":"https://codeload.github.com/kenithphilip/FedPy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kenithphilip%2FFedPy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34892547,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-28T02:00:05.809Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloud-security","compliance","compliance-as-code","continuous-monitoring","evidence-collection","fedramp","fedramp-20x","gcp","grc","ksi","kubernetes","nist-800-53","oscal","security-automation","typescript"],"created_at":"2026-06-28T15:01:56.283Z","updated_at":"2026-06-28T15:01:59.843Z","avatar_url":"https://github.com/kenithphilip.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# FedRAMP 20x Compliance Tooling\n\n\u003e Read-only, evidence-grade automation for **FedRAMP 20x** (and Rev5) — collect\n\u003e cloud configuration evidence against all **63 Key Security Indicators** and\n\u003e **223 requirements**, benchmark your infrastructure against **NIST SP 800-53**\n\u003e at Low / Moderate / High, and track implementation across your team.\n\n[![CI](https://github.com/kenithphilip/FedPy/actions/workflows/ci.yml/badge.svg)](https://github.com/kenithphilip/FedPy/actions/workflows/ci.yml)\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)\n![TypeScript](https://img.shields.io/badge/TypeScript-5.7-3178c6.svg)\n![Node](https://img.shields.io/badge/Node-22%2F24-339933.svg)\n![Bun](https://img.shields.io/badge/Bun-1.3-f9f1e1.svg)\n![Deno](https://img.shields.io/badge/Deno-2.8-000000.svg)\n![Tests](https://img.shields.io/badge/tests-495%20passing-brightgreen.svg)\n\nThis repository contains **two complementary projects** that together cover the\nfull FedRAMP 20x lifecycle — automated technical evidence on one side, and\nhuman-tracked governance state on the other.\n\n| Project | What it does | Stack |\n|---|---|---|\n| [`cloud-evidence/`](cloud-evidence/) | A **read-only** collector that captures AWS + GCP + Kubernetes configuration evidence for every FedRAMP 20x KSI, scores it, signs it, maps it to NIST 800-53, and pushes it to your GRC stack. | TypeScript · Node (tsx) or Bun · AWS SDK v3 · googleapis · @kubernetes/client-node |\n| [`tracker/`](tracker/) | A local, multi-user web dashboard over the FedRAMP machine-readable (FRMR) catalog for tracking implementation status, ownership, evidence links, and the NIST crosswalk. | TypeScript · Hono · better-sqlite3 · React + Vite |\n\n---\n\n## Table of contents\n\n- [Why this exists](#why-this-exists)\n- [What you get](#what-you-get)\n- [Repository layout](#repository-layout)\n- [Architecture at a glance](#architecture-at-a-glance)\n- [Quick start](#quick-start)\n- [The cloud-evidence collector](#the-cloud-evidence-collector)\n  - [Read-only safety model](#read-only-safety-model)\n  - [Impact levels \u0026 frameworks](#impact-levels--frameworks)\n  - [NIST 800-53 control benchmark](#nist-800-53-control-benchmark)\n  - [Output artifacts](#output-artifacts)\n  - [Integrations](#integrations)\n  - [Production hardening](#production-hardening)\n- [The tracker](#the-tracker)\n- [Testing](#testing)\n- [Documentation index](#documentation-index)\n- [Data sources \u0026 attribution](#data-sources--attribution)\n- [Security](#security)\n- [License](#license)\n\n---\n\n## Why this exists\n\nFedRAMP 20x reframes authorization around **machine-readable, continuously\nverified evidence** instead of static SSP narratives. The authoritative source\nof truth is the [FedRAMP machine-readable (FRMR)](https://github.com/FedRAMP/docs)\ndata, which defines **Key Security Indicators (KSIs)** and **FedRAMP Requirements\n(FRRs)**.\n\nThis tooling turns that source of truth into two practical workflows:\n\n1. **Prove it automatically.** `cloud-evidence` logs into your cloud accounts\n   *read-only*, evaluates the cloud-testable indicators directly against live\n   configuration, and emits signed, schema-valid, OSCAL-mapped evidence — so the\n   evidence is reproducible and auditor-verifiable, not hand-assembled.\n2. **Track the rest.** Not every requirement is cloud-API-testable (a large share\n   are governance/process obligations). The `tracker` gives your team a shared\n   surface to record status, owners, evidence links, and last-reviewed dates for\n   the full 223-requirement set, with a NIST 800-53 crosswalk for mapping against\n   an existing Rev5 baseline.\n\nEverything is **local-first and self-hosted** — your evidence and your tracker\nstate never leave infrastructure you control unless you explicitly push them.\n\n## What you get\n\n- ✅ **Complete KSI coverage** — all **63 KSIs** and **223 requirements** are\n  accounted for: cloud collectors where testable, process-artifact evidence for\n  governance requirements, and explicit *awareness-only* tracking for items that\n  obligate FedRAMP / an agency / a 3PAO.\n- 🔒 **Provably read-only** — every cloud SDK call is enforced read-only by *two*\n  independent layers (viewer-only IAM **and** a runtime guardrail Proxy).\n- 🎚️ **Low / Moderate / High** — choose your impact tier; the collector scopes\n  every requirement to that tier (High applicability is derived from NIST 800-53\n  Rev5 and clearly labeled).\n- 📊 **NIST 800-53 benchmark** — roll findings up to 800-53 controls and score\n  each control, for both the 20x-referenced control set and the full SP 800-53B\n  baseline.\n- 🖊️ **Tamper-evident** — Ed25519-signed manifests + optional RFC 3161 trusted\n  timestamps; an offline `verify` CLI re-checks every hash and signature.\n- 🔁 **OSCAL + crosswalks** — OSCAL 1.1 Assessment Results, plus NIST →\n  SOC 2 / ISO 27001 / HIPAA crosswalk.\n- 🔌 **Push anywhere** — Paramify, the bundled tracker, Slack/PagerDuty,\n  Jira/ServiceNow/GitHub Issues, SIEM (OCSF), generic HMAC webhook, and optional\n  LLM-drafted remediation PRs.\n- 🧰 **Operationally hardened** — retry/backoff, adaptive concurrency under\n  throttle, append-only run ledger, and a run lock to prevent overlapping runs.\n\n## Repository layout\n\n```\nFedRAMP 20x/\n├── cloud-evidence/            Read-only AWS+GCP+K8s evidence collector\n│   ├── core/                  Orchestrator, schema, signing, OSCAL, benchmark, hardening\n│   ├── providers/             Per-cloud collectors (aws/, gcp/, k8s/)\n│   ├── scripts/               Reproducible data extractors (FRMR, NIST r5, baselines)\n│   ├── docs/                  Committed generated lookups + IAM permission catalog\n│   └── tests/                 Vitest suites (38 files, 396 tests)\n├── tracker/                   Local multi-user web tracker over the FRMR catalog\n│   ├── server/                Hono API + better-sqlite3 + RBAC/2FA/audit\n│   ├── client/                React + Vite SPA\n│   └── tests/                 Vitest suites (11 files, 99 tests)\n├── ARCHITECTURE.md            How the two projects fit together (with diagrams)\n├── RUNBOOK.md                 Operations: setup, IAM, env vars, troubleshooting\n├── COST.md                    Cost model for the collector + integrations\n├── GAP-ANALYSIS.md            Positioning vs Prowler/ScoutSuite/Wiz/Drata/Vanta/Paramify\n├── CHANGELOG.md               Version history\n├── LICENSE                    Apache-2.0\n└── NOTICE                     Third-party data attribution\n\n# External reference clones (git-ignored, not part of this repo's code):\n├── docs/                      Clone of github.com/FedRAMP/docs (FRMR source of truth)\n└── nist-r5-data/              NIST 800-53 Rev5 reference data\n```\n\n## Architecture at a glance\n\n```mermaid\ngraph LR\n  CSP[CSP environment\u003cbr/\u003eAWS + GCP + K8s] --\u003e CE[cloud-evidence\u003cbr/\u003eorchestrator]\n  CE --\u003e Out[(out/*.json\u003cbr/\u003e+ manifest.sig\u003cbr/\u003e+ control-benchmark.json\u003cbr/\u003e+ assessment-results.json)]\n  Out --\u003e Sign[Ed25519 + RFC 3161]\n  Out --\u003e Tracker[(tracker DB)]\n  Out --\u003e GRC[Paramify / SIEM / Tickets / Webhook]\n  Auditor[3PAO / auditor] -. verifies .-\u003e Out\n  Tracker --\u003e UI[React SPA]\n```\n\nSee [ARCHITECTURE.md](ARCHITECTURE.md) for the full module maps and data flow.\n\n## Quick start\n\n**Prerequisites:** Node 22+ (tested on 22 and 24); optionally\n[Bun](https://bun.sh) 1.3+ or [Deno](https://deno.com) 2.8+ for the collector. AWS credentials via\n`aws sso login` / `AWS_PROFILE`, and GCP via\n`gcloud auth application-default login`.\n\n```bash\ngit clone git@github.com:kenithphilip/FedPy.git \"FedRAMP 20x\"\ncd \"FedRAMP 20x\"\n```\n\n### Collect evidence\n\n```bash\ncd cloud-evidence\nnpm install\n\n# Plan only — no SDK calls are made\nnpm run collect -- --dry-run\n\n# Real collection at Moderate, benchmarked against the 20x-referenced controls\nnpm run collect -- --impact-level moderate --framework 20x\n\n# Full High-tier run benchmarked against the entire NIST SP 800-53B High baseline,\n# with all post-run reports, OSCAL, crosswalk, and signing\nnpm run collect -- --impact-level high --framework rev5 --all-reports --oscal --crosswalk\n\n# Verify a finished run offline (re-hashes every file, checks the signature)\nnpm run verify -- ./out\n```\n\n\u003e Output goes to `./out/` (git-ignored). See [Output artifacts](#output-artifacts).\n\n### Run the tracker\n\n```bash\n# from the repo root, get the FRMR source of truth (if you don't have it)\ngit clone https://github.com/FedRAMP/docs.git\n\ncd tracker\nnpm install\nnpm run ingest        # load FRMR.documentation.json into data/tracker.db\nnpm run dev           # API on :4000, web UI on :5173\n# open http://localhost:5173 — the first account you create becomes admin\n```\n\n---\n\n## The cloud-evidence collector\n\nA read-only TypeScript collector for the FedRAMP 20x KSIs across **AWS, GCP, and\nKubernetes**. It runs on Node (via `tsx`), Bun, or Deno — Bun is recommended for\nproduction collection (native TS, faster startup/I/O, better concurrency under\nthrottle); Node + `tsx` is the default and what the test suite runs on. Deno is\nalso supported via the `collect:deno` / `verify:deno` scripts (it needs explicit\n`--allow-*` permission flags; see [RUNBOOK.md](RUNBOOK.md)).\n\n### Read-only safety model\n\nThe collector **must never mutate cloud state**, enforced by two independent\nmechanisms (either one alone would stop a write; both are required to run):\n\n1. **Viewer-only IAM.** The runner principal is bound to read-only managed\n   policies only (AWS `ReadOnlyAccess`, GCP viewer/securityReviewer roles, K8s\n   `view`). The exact least-privilege role list is in\n   [RUNBOOK.md](RUNBOOK.md) and\n   [cloud-evidence/docs/IAM-PERMISSIONS-CATALOG.md](cloud-evidence/docs/IAM-PERMISSIONS-CATALOG.md).\n2. **Runtime guardrail Proxy.** Every SDK client is wrapped at construction by\n   `core/readonly-guardrail.ts` (AWS) or `core/readonly-guardrail-gcp.ts` (GCP).\n   Any command whose verb prefix isn't on the read-only allowlist throws\n   `ReadOnlyViolationError` **before the call leaves the process** — so even a\n   mis-scoped IAM role or a buggy new collector cannot perform a write.\n\n### Impact levels \u0026 frameworks\n\nPick the tier at setup (`config.yaml` `impact_level:`) or per-run\n(`--impact-level low|moderate|high`). The collector then scopes all 223\nrequirements to that tier:\n\n- **Cloud-testable KSIs** run their collectors against live config.\n- **Governance requirements** emit signed *process-artifact* evidence, tracked\n  via an attestation register with SLA/deadline monitoring.\n- **FedRAMP/agency/3PAO obligations** are recorded as **awareness-only** and\n  excluded from your provider pass/fail.\n\nHigh applicability is **derived from the NIST 800-53 Rev5 baseline** (there is no\nseparately published 20x High) and always labeled `derived-rev5`.\n\n### NIST 800-53 control benchmark\n\nEvery run rolls findings **up to NIST 800-53 controls** and scores each control\nat the chosen impact level, so you can benchmark your cloud infrastructure\nagainst the baseline. Two framings via `--framework`:\n\n| `--framework` | In-scope control set | Answers |\n|---|---|---|\n| `20x` (default) | The controls the evaluated 20x KSIs/FRRs reference | \"How covered are the controls 20x cares about, at this level?\" |\n| `rev5` | The full NIST SP 800-53B baseline for the level (Low **149** / Moderate **287** / High **370**) | \"Which baseline controls have automated cloud evidence vs. still need manual assessment?\" |\n\nEach control gets a status — `satisfied` (all mapping findings passed),\n`partially-satisfied` (mixed), `not-satisfied` (all failed), or `not-assessed`\n(no automated evidence). The report (`control-benchmark.json`) gives two rates:\n`assessed_pass_rate` (satisfied ÷ controls with evidence) and\n`baseline_coverage_rate` (satisfied ÷ whole in-scope set). Awareness-only\nattestations are listed under a control but never satisfy it on their own.\n\nBaseline membership ships committed\n(`cloud-evidence/docs/nist-r5-baselines.generated.json`, sourced from NIST's\nofficial OSCAL resolved-profile catalogs) so there is **no network at runtime**;\nrefresh it with `node scripts/extract-nist-baselines.mjs`.\n\n### Output artifacts\n\nA single run writes to `./out/`:\n\n| File | Contents |\n|---|---|\n| `KSI-*.json` | Per-KSI evidence envelopes (v3 schema, one per requirement) |\n| `pva-run-summary.json` | Run roll-up + impact level + framework + benchmark headline |\n| `family-rollup.json` | Per-control-family posture |\n| `control-benchmark.json` | NIST 800-53 control benchmark (this run's framing/level) |\n| `inventory.json` *(`--inventory-workbook`)* | Rich org-grade cloud asset inventory (every resource type; source of truth) + relationship graph |\n| `inventory-workbook.{csv,xlsx}` | FedRAMP Appendix M Integrated Inventory Workbook (AWS + GCP assets) |\n| `inventory-oscal.json` / `inventory-cmdb.json` / `inventory-diff.json` / `inventory-cost.json` | OSCAL inventory-items · ServiceNow CMDB records · run-over-run change diff · month-to-date cost by service |\n| `manifest.json` + `manifest.sig` | Ed25519-signed inventory of every output file |\n| `manifest.tsr` *(optional)* | RFC 3161 trusted timestamp token |\n| `assessment-results.json` *(`--oscal`)* | OSCAL 1.1 Assessment Results |\n| `crosswalk-report.json` *(`--crosswalk`)* | NIST → SOC 2 / ISO 27001 / HIPAA |\n| `coverage-report.json` | Silent-failure / gap detection |\n| `report.html`, `findings.csv` *(`--all-reports`)* | Human + spreadsheet views |\n| `diff-report.{json,html}` | Change vs. the previous run |\n| `anomaly-report.json` *(`--anomaly`)* | Drift vs. the rolling baseline |\n| `run-ledger.jsonl` | Append-only audit trail of every action + timing |\n\n### Integrations\n\nAll opt-in (require their own env vars; see [RUNBOOK.md](RUNBOOK.md)):\n\nParamify · the bundled tracker (`--push-tracker`) · Slack / PagerDuty\n(`--notify-on-drift`) · Jira / ServiceNow / GitHub Issues (`--ticket-push`) ·\nSIEM via OCSF (`--siem-url`) · generic HMAC-signed webhook (`--webhook-url`) ·\nAnthropic Claude remediation PR drafts (`--llm-generate-prs`) · Powerpipe mod\n(`--powerpipe`) · SBOM ingest (`--sbom-dir`).\n\n### Production hardening\n\n- **Retry/backoff** on every SDK call (configurable attempts/backoff caps).\n- **Adaptive concurrency** — a token bucket + AIMD limiter that backs off under\n  throttling and recovers, plus in-run TTL memoization.\n- **Append-only run ledger** — crash-durable JSONL of every action and outcome.\n- **Run lock** — prevents two runs clobbering the same output dir (TTL +\n  PID-liveness; auto-released on exit).\n\n## The tracker\n\nA local, multi-user web dashboard that ingests the FRMR catalog and lets your\nteam track implementation status against every 20x requirement and KSI. It sits\n*next to* a clone of the upstream FedRAMP docs and re-ingests on demand,\npreserving your status, owner, notes, and evidence (state is keyed by stable\nFRMR IDs).\n\nHighlights: dashboard with \"next 10 to tackle\", gap analysis, requirement \u0026 KSI\nbrowsers, full item detail with FRD-term tooltips, a **NIST 800-53 crosswalk**, a\ncollector-runs view (impact level + benchmark headline), CSV/JSON export, and\nmulti-user accounts with sessions, **TOTP 2FA**, **role-based access control**,\nper-item **audit log**, and online backup/restore.\n\nSee [tracker/README.md](tracker/README.md) for the full feature list and API.\n\n## Testing\n\n```bash\n# cloud-evidence — 38 files, 396 tests\ncd cloud-evidence \u0026\u0026 npm test \u0026\u0026 npm run typecheck\n\n# tracker — 11 files, 99 tests\ncd tracker \u0026\u0026 npm test \u0026\u0026 npm run typecheck\n```\n\nBoth projects typecheck clean and the full suite (**495 tests**) passes. CI-style\none-liner from the repo root:\n\n```bash\n(cd cloud-evidence \u0026\u0026 npm test) \u0026\u0026 (cd tracker \u0026\u0026 npm test)\n```\n\n## Documentation index\n\n| Doc | What's in it |\n|---|---|\n| [ARCHITECTURE.md](ARCHITECTURE.md) | Module maps, data flow, integration points, the read-only invariant |\n| [RUNBOOK.md](RUNBOOK.md) | Setup, required IAM, all environment variables, exit codes, troubleshooting |\n| [cloud-evidence/docs/OPERATOR-GUIDE.md](cloud-evidence/docs/OPERATOR-GUIDE.md) | **Single consolidated operator reference** — complete CLI flag list, env var list, config files (`config.yaml`, `thresholds.yaml`, forward-spec `org-profile.yaml`), loop landscape (implemented / spec'd / roadmap), conditional-loop activation matrix, output-artifact catalogue, common run patterns |\n| [cloud-evidence/org-profile.yaml.example](cloud-evidence/org-profile.yaml.example) | Forward-spec template for conditional loops (LOOP-M, LOOP-O, LOOP-S, LOOP-X, G.G2-CIRCIA, M.M4-CIRCIA, G.G2-SEC-8K) |\n| [COST.md](COST.md) | Cost model for the collector and optional integrations |\n| [GAP-ANALYSIS.md](GAP-ANALYSIS.md) | How this compares to Prowler / ScoutSuite / Wiz / Drata / Vanta / Paramify |\n| [CHANGELOG.md](CHANGELOG.md) | Version history |\n| [cloud-evidence/README.md](cloud-evidence/README.md) | Collector deep-dive |\n| [cloud-evidence/CLAUDE.md](cloud-evidence/CLAUDE.md) | REO standard + Scope Guard + Conditional Applicability Matrix (for contributors) |\n| [cloud-evidence/docs/STATUS.md](cloud-evidence/docs/STATUS.md) | Current implementation status: every slice, every loop |\n| [cloud-evidence/docs/IAM-PERMISSIONS-CATALOG.md](cloud-evidence/docs/IAM-PERMISSIONS-CATALOG.md) | Exact per-collector cloud permissions |\n| [cloud-evidence/docs/roadmap/README.md](cloud-evidence/docs/roadmap/README.md) | Out-of-core / roadmap docs (LOOP-U/V/Y/Z + fifth-pass audit) |\n| [tracker/README.md](tracker/README.md) | Tracker features, API, configuration |\n\n## Data sources \u0026 attribution\n\nThis repo **derives** committed lookup files from public sources (regenerated by\nthe scripts in `cloud-evidence/scripts/`, not re-licensed):\n\n- **FedRAMP FRMR** — [github.com/FedRAMP/docs](https://github.com/FedRAMP/docs)\n  (U.S. Government source of truth for 20x/Rev5 requirements \u0026 KSIs).\n- **NIST SP 800-53 Rev5 control catalog** — control names/families via\n  [GovReady/nist-sp-800-53-r5-data](https://github.com/GovReady/nist-sp-800-53-r5-data).\n- **NIST SP 800-53B Rev5 baselines** — Low/Moderate/High membership from\n  [usnistgov/oscal-content](https://github.com/usnistgov/oscal-content).\n\nSee [NOTICE](NOTICE) for full attribution. These sources remain governed by their\nown terms.\n\n## Security\n\n- The collector is **read-only by construction** (see\n  [the safety model](#read-only-safety-model)); a `ReadOnlyViolationError` is a\n  bug in a collector, never something to work around.\n- Evidence is **tamper-evident** (Ed25519 manifest + optional RFC 3161 timestamp)\n  and independently verifiable offline via `npm run verify -- ./out`.\n- The tracker stores passwords with `scrypt`, uses HttpOnly/SameSite session\n  cookies, supports TOTP 2FA and RBAC, and records every mutation in an audit log.\n\nIf you discover a security issue, please open a private report rather than a\npublic issue.\n\n## License\n\nLicensed under the [Apache License 2.0](LICENSE). © 2026 Kenith Philip.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkenithphilip%2Ffedpy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkenithphilip%2Ffedpy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkenithphilip%2Ffedpy/lists"}