ATLAS Globe
ATLAS
byArcSense
Get started

ArcSense · Engineering

How ATLAS is built and verified

ATLAS was built with AI assistance under human review. This page describes the practices, automated gates, and test coverage that validate the output — and our honest framing of the AI-assisted development model.

Development workflow

PR-based, gate-enforced development

Every change — including AI-generated code — goes through a pull request. No commits land on main without passing the full CI gate suite and passing human review.

TypeScript typecheck

Full type-check across all workspaces. Fails on any type error, including tables missing from database.ts.

Dependency contract tests

Validates that critical runtime packages have not been silently upgraded past pinned major versions.

In-house security audit

Five-vector security scan (SCA + secrets + RLS + SAST + edge-function integrity). Any HIGH or CRITICAL finding fails the build.

Build verification

Full production build across the web app, admin console, and shared packages — catches import errors, missing assets, and bundle failures.

RLS regression tests

35 pgTAP assertions verify cross-org data isolation, Viewer write denial, and Editor write allowance against a local Supabase instance.

MCP write-tool tests

Vitest integration tests sweep all 40+ MCP write tools for RBAC enforcement, audit log writes, and idempotency. Runs in CI on every PR.

The verify CI job runs on every PR and push to main. The rls-and-mcp-tests job runs on every PR. The e2e-smoke job runs nightly. A pre-push hook runs typecheck, dependency contracts, and the security audit before any push leaves the developer machine.

In-house security audit

Five-vector automated security scan

scripts/security-audit.js is a zero-dependency Node script that runs five distinct checks on every CI build. A Level 1 scan runs on every PR; a Level 2 deep scan adds SAST and edge-function coverage for periodic review.

1 / 5

Software Composition Analysis (SCA)

Runs npm audit across all workspaces — root monorepo, MCP server, and MCP worker. HIGH and CRITICAL CVEs fail the build.

2 / 5

Secrets & environment file scanner

Scans the git index for committed .env files and scans every source file for hardcoded credentials, API keys, and Supabase service-role tokens.

3 / 5

Database & RLS governance

Parses every SQL migration to verify that every created table has Row Level Security enabled. Missing RLS is flagged as HIGH severity.

4 / 5

Static application security testing (SAST)

Deep-scan mode audits all TypeScript / React source files for dangerouslySetInnerHTML usage and client-side service-role key references.

5 / 5

Deno / Edge Function import integrity

Deep-scan mode verifies that every external import in a Supabase Edge Function specifies a pinned version, preventing silent dependency drift.

Automated test coverage

What we test, and why

We focus test coverage on the properties buyers care most about — cross-org data isolation, AI write-tool authorization, and end-to-end workflow integrity — rather than chasing component unit test percentages.

35 assertions

RLS regression suite

3 pgTAP files covering cross-org isolation across 12 tables, Viewer write denial, and Editor write allowance.

40+ tools

MCP write-tool suite

Parametrized RBAC-denial sweep covering every write tool, plus reference tests for audit logging and idempotency.

5 flows · nightly

Playwright E2E smoke

Covers signup → org create, member invite, AIGov charter edit, risk register CRUD, and policy status transition.

AI-assisted development

Built with AI assistance, under human review

ATLAS was built with significant AI assistance. We do not hide this. The value is not in whether a human or an AI typed a line of code — it is in whether that code is correct, secure, and independently validated.

Active

Human review on every change

Every AI-generated change goes through a pull request reviewed by a human engineer before it merges. The CI gates above run regardless of authorship.

Active

Automated security enforcement

The in-house security audit, RLS regression tests, and MCP write-tool tests are designed specifically to catch the classes of bugs that AI-assisted development is most likely to introduce.

Planned

Independent penetration test

A third-party security firm will validate the codebase independently. When the report is complete, a redacted summary will be published on our Trust page.

Planned

SOC 2 Type I attestation

A point-in-time audit of our security controls by an accredited CPA firm. This is the external artifact that matters most to enterprise procurement.

The pen test and SOC 2 Type I are the load-bearing external artifacts. The gates, tests, and audit script above are the evidence trail that makes them possible — and the receipts that validate the AI-assisted process.

Resources

More information

Security & Trust

Controls, subprocessors, and compliance roadmap

Responsible disclosure

Report a security vulnerability

Status page

Live uptime across all services

Security questions? Contact us at security@arcsense.ca.