All Posts
February 12, 20260.1.10Calmony Sanctions Monitor

v0.1.10 — feat: compliance — encryption, security headers, validation, monitoring, data export

Release v0.1.10: Compliance — Encryption, Security Headers, Validation, Monitoring & Data Export

12 February 2026

This release implements five high-severity compliance features spanning HIPAA, ISO 27001, SOC 2, and GDPR.

What changed

  • AES-256-GCM encryption for PII fields (names, dates of birth, phone numbers). Uses PBKDF2 key derivation with 100k iterations. Backwards-compatible — encrypted values carry an enc: prefix; unencrypted values pass through unchanged. Optional in dev/CI.
  • Security headers on all routes: Content-Security-Policy, HSTS (2-year max-age with preload), X-Frame-Options DENY, Permissions-Policy (camera/mic/geo denied), Referrer-Policy, and X-Content-Type-Options. CORS on /api/* restricted to the app origin.
  • Input validation & sanitisation via centralised Zod schemas. Strips HTML/XSS, removes null bytes and control characters, blocks CSV injection patterns. Covers person creation, match review, notification preferences, feedback, API keys, and adverse media screening.
  • Health & readiness endpoints at /api/health and /api/ready. Health checks database connectivity and encryption config, returns healthy/degraded/unhealthy. Readiness checks DB and Clerk config for load balancers. Both are public (no auth). New structured JSON logger with configurable log levels.
  • GDPR data export at /api/export/people, /api/export/screening-history, and /api/export/audit-trail. Supports ?format=csv and ?format=json. IP addresses are masked in audit trail exports. Every export is itself audit-logged.

Why it matters

Users now have application-level encryption protecting sensitive data, hardened HTTP security defaults, protection against common injection attacks, infrastructure monitoring for uptime, and the ability to export their own data — covering core requirements across HIPAA, ISO 27001, SOC 2, and GDPR Article 20.

Technical notes

  • New env vars: ENCRYPTION_SECRET (for AES-256-GCM) and LOG_LEVEL (debug/info/warn/error).
  • /api/health and /api/ready added to public routes in middleware.
  • CI workflow updated with encryption secret and log level for builds.
  • 12 files changed, 1,453 additions.

Release Notes

Successfully merged PR #24 and created release v0.1.10.

PR #24 merged via squash merge (SHA: 2f1325eb6eee48abf11100f5e5a6c2ff35d6a348)

Release created: v0.1.10 — Compliance: Encryption, Security Headers, Validation, Monitoring & Data Export URL: https://github.com/LetMC/CalmonySanctionsMonitor/releases/tag/v0.1.10

What was released: This is a major compliance milestone implementing 5 high-severity features across HIPAA, ISO 27001, SOC 2, and GDPR:

  1. AES-256-GCM encryption for PII fields (HIPAA)
  2. Security headers — CSP, HSTS, X-Frame-Options, Permissions-Policy, CORS (ISO 27001)
  3. Input validation & sanitisation — centralised Zod schemas with XSS/injection prevention (ISO 27001)
  4. Health & readiness endpoints + structured JSON logging (SOC 2)
  5. Data export endpoints for people, screening history, and audit trail in CSV/JSON (GDPR Art. 20)

12 files changed — 1,453 additions, 2 deletions.

More Posts

v0.1.33 — perf: replace N sequential UPDATEs in bulkUpdateOrder with single batch SQL0.1.33
Feb 15
v0.1.32 — feat: add dark-aware brand color injection to template globals.css0.1.32
Feb 15
v0.1.31 — feat(billing): add billing guard to competitorMonitor cron0.1.31
Feb 15