Backend security demonstration · Portfolio project

Security controls you can
actually exercise.

TrustVault Lite is a controlled multi-tenant evidence portal built to demonstrate backend authorization, tenant isolation, secure sessions, private file delivery, delegated access, and audit logging—not to collect real customer data.

No registrationSeeded identitiesState resets on restart
request-path.txt
LIVE TOPOLOGY
Browsersame-origin client
Cloudflare + CaddyTLS · headers · routing
Fastify APIauthn · authz · audit
In-memory sandboxactive runtime
Mock scan queuestate enforcement
$ deny by default · trust one proxy hop · expose no storage keys

Security controls demonstrated

Designed around boundaries,
not security slogans.

Each control is visible in the UI, enforced by the API, and backed by negative tests.

Tenant isolation

Tenant-scoped repositories, membership enforcement, object-level authorization, and a separately tested PostgreSQL RLS path.

RBAC + ABAC

A centralized deny-by-default policy layer enforces role, tenant, project, action, and resource boundaries.

Secure sessions

Server-side sessions use HttpOnly, Secure, SameSite cookies with origin validation, CSRF tokens, and revocation.

Private file delivery

Synthetic PDFs pass validation and mock scan states before authenticated or share-link proxy downloads are allowed.

Hashed credentials

API keys and share-link secrets are high entropy, stored as hashes, displayed once, scoped, expiring, and revocable.

Auditability

Security-relevant successes and denials feed tenant-scoped audit views and a compact security dashboard.

Three-minute walkthrough

Follow the security story.

The demo is seeded so a reviewer can reach meaningful controls immediately.

01

Switch identity

Compare Owner, Viewer, Auditor, and a separate Globex tenant. Try an action outside the selected role and observe the denial.

02

Exercise the file boundary

Create a project, upload the generated synthetic PDF, trigger the authenticated mock scan, and download only after it is clean.

03

Control delegated access

Create and revoke a scoped API key or expiring share link, then inspect the resulting audit events and security signals.

Start with Owner at Acme Corp

Deliberate scope

A security sandbox,
not a production SaaS.

The project demonstrates secure design decisions while keeping operations intentionally small, inspectable, and disposable. These limits are documented—not hidden.

Implemented now
  • Single hardened API instance
  • Tenant-scoped in-memory runtime
  • PostgreSQL/RLS integration tests
  • Synthetic PDF and mock scanning
  • CI and security workflows
Documented extensions
  • OIDC, MFA, and passkeys
  • Redis-backed distributed state
  • S3-compatible object storage
  • ClamAV or equivalent scanning
  • Durable, multi-instance operation

Ready to inspect it?

Break a permission boundary.
Then find the evidence.

Open the sandbox

Synthetic data only · No account required · Ephemeral state