v5.13.1 28 February 2026 Improvement

Trust Strip Redesign, OpenAPI Verification & Security Hardening

Why This Matters

The footer trust strip is the only place SpeyBooks makes verifiable security claims to visitors. Until now, those claims were rendered as a monospace text block indistinguishable from static copy. Visitors had no visual signal that the data was live, no proof the grade was earned, and no way to verify claims without leaving the page. One claim — “OpenAPI canonical” — had no verification behind it at all.

This release closes that gap. Every item in the trust strip is now backed by the Security Test Harness, the content contract, or the lock engine. Every claim links to its verification source. And the presentation communicates rigour rather than just asserting it.

Trust Strip Visual Redesign

  • Three-domain architecture The trust strip is now a three-column grid separating Security Posture, Jurisdiction & Data, and Technical Integrity into distinct visual domains. Each domain has its own icon, hierarchy, and hover state.

  • Shield badge with grade The security grade renders inside an SVG shield. Green for A/A+, amber for B and below. The grade is visible at a glance without reading text.

  • Pulsing status dot A CSS-only animated dot signals active monitoring. No client-side JavaScript, no hydration — pure build-time rendering with a CSS animation.

  • Module count proof “22/22 modules” shows visitors the grade is earned by an automated harness, not self-awarded. Links directly to the transparency report.

  • Every claim is clickable Audit date links to the transparency page. Data Residency links to the security page. Lock links to the changelog. API Surface links to the docs API reference. OpenAPI links to the live spec. Six new verifiable links in total.

  • Cross-domain parity maintained Both marketing (Tailwind) and docs (BEM/CSS) renderers updated with identical structure, satisfying I2b ordering parity. Link parity gate now verifies 50 links per page, up from 44.

  • Marketing Footer.astrov6.0.0
  • Docs Footer.astrov3.0.0

OpenAPI Specification Verification

  • New STH module: sc-openapi A high-severity module that validates the canonical OpenAPI spec through seven checks: file exists, valid JSON, OpenAPI 3.x version field, required info fields, non-empty paths, operation count consistency with the published endpoint count, and bit-identical comparison between the API source and the docs copy.

  • “OpenAPI canonical” is now an earned claim The trust strip previously asserted this without verification. The new module ensures the spec exists, is valid, matches the published API surface, and is identically deployed to docs. If the docs copy drifts from the canonical source, the module fails — not warns.

  • STH module count: 21 → 22 The new module sits in the secure-config area alongside TLS, SSH, and environment exposure checks.

Deploy Orchestrator Fix

  • Undefined variable bug in trust injection Phase 0b of deploy-ui.sh referenced $BASE and $MKTG_ROOT, neither of which were defined in the script. The trust injection block silently failed on every deployment. Fixed by adding INJECT_TRUST to the configuration block, consistent with the script’s pattern of deriving all paths from named constants.

  • Preflight honesty Trust injection now runs before the “All checks passed” message, so the preflight summary accurately reflects what succeeded.

Security Hardening

  • Nginx hardening on docs site Added dotfile deny rules and probe path blocking (wp-admin, phpmyadmin, server-status) matching the configuration already in place on the marketing site.

  • STH A+ grade tier Added A+ to the grade thresholds (score of 100). Previously, a perfect score still reported as A.

  • Production-only npm audit pm-npm-audit.sh v2.0.0 now runs with --omit=dev, auditing only production dependencies. Exception mechanism with expiry dates for known upstream vulnerabilities (xlsx, fast-xml-parser — both expire 28 March 2026).

  • Final grade: A+ (100%, 22/22 modules passing)

Operational Impact

  • Every trust strip claim is now verifiable in one click
  • OpenAPI spec drift between API and docs is a build-failing condition
  • Deploy orchestrator trust injection works correctly for the first time
  • Security posture upgraded from A to A+ with zero exceptions in production dependencies
  • Link parity gate covers 50 links per page across both domains
  • No client-side JavaScript added — trust strip animations are CSS-only

Files Changed

Infrastructure:

  • deploy-ui.sh — v2.1: fixed undefined variable bug in Phase 0b trust injection
  • inject-trust.sh — v1.0.0: STH → footer-data.json bridge (wired and operational)

STH:

  • modules/sc-openapi.sh — new module: OpenAPI spec validation (7 checks)
  • modules/pm-npm-audit.sh — v2.0.0: production-only audit with exception mechanism
  • audit-exceptions.json — documented vulnerability exceptions with expiry

Marketing site:

  • src/components/Footer.astro — v6.0.0: three-domain trust strip with shield badge
  • src/content/changelog/5.13.1.md — this entry

Docs site:

  • src/components/Footer.astro — v3.0.0: matching trust strip for I2b parity
  • nginx config — dotfile deny and probe path blocking

These changes close the gap between what the trust strip claims and what the infrastructure can prove — establishing a verifiable trust surface ahead of soft launch.