๐ EU Parliament Monitor โ Flowcharts
Process & Data Flow Documentation for European Parliament Intelligence
๐ Security Flows โข ๐ CI/CD Pipeline โข ๐ Data Processing
๐ Document Owner: CEO | ๐ Version: 1.2 | ๐
Last Updated:
2026-04-20 (UTC) | ๐ท๏ธ Platform Release: v0.8.40
๐ Review Cycle: Quarterly | โฐ Next Review: 2026-07-20
๐ Architecture Documentation Map
| Document | Focus | Description | Documentation Link |
|---|---|---|---|
| Architecture | ๐๏ธ Architecture | C4 model showing current system structure | View Source |
| Future Architecture | ๐๏ธ Architecture | C4 model showing future system structure | View Source |
| Mindmaps | ๐ง Concept | Current system component relationships | View Source |
| Future Mindmaps | ๐ง Concept | Future capability evolution | View Source |
| SWOT Analysis | ๐ผ Business | Current strategic assessment | View Source |
| Future SWOT Analysis | ๐ผ Business | Future strategic opportunities | View Source |
| Data Model | ๐ Data | Current data structures and relationships | View Source |
| Future Data Model | ๐ Data | Enhanced European Parliament data architecture | View Source |
| Flowcharts | ๐ Process | Current data processing workflows | View Source |
| Future Flowcharts | ๐ Process | Enhanced AI-driven workflows | View Source |
| State Diagrams | ๐ Behavior | Current system state transitions | View Source |
| Future State Diagrams | ๐ Behavior | Enhanced adaptive state transitions | View Source |
| Security Architecture | ๐ก๏ธ Security | Current security implementation | View Source |
| Future Security Architecture | ๐ก๏ธ Security | Security enhancement roadmap | View Source |
| Threat Model | ๐ฏ Security | STRIDE threat analysis | View Source |
| Classification | ๐ท๏ธ Governance | CIA classification & BCP | View Source |
| CRA Assessment | ๐ก๏ธ Compliance | Cyber Resilience Act | View Source |
| Workflows | โ๏ธ DevOps | CI/CD documentation | View Source |
| Future Workflows | ๐ DevOps | Planned CI/CD enhancements | View Source |
| Business Continuity Plan | ๐ Resilience | Recovery planning | View Source |
| Financial Security Plan | ๐ฐ Financial | Cost & security analysis | View Source |
| End-of-Life Strategy | ๐ฆ Lifecycle | Technology EOL planning | View Source |
| Unit Test Plan | ๐งช Testing | Unit testing strategy | View Source |
| E2E Test Plan | ๐ Testing | End-to-end testing | View Source |
| Performance Testing | โก Performance | Performance benchmarks | View Source |
| Security Policy | ๐ Security | Vulnerability reporting & security policy | View Source |
๐ Overview
This document provides detailed process flow diagrams showing security controls, data flows, and decision points in the EU Parliament Monitor platform.
๐ก๏ธ ISMS Policy Alignment
This document aligns with Hack23's Information Security Management System (ISMS) policies and ISO 27001:2022 controls. All flowcharts demonstrate implementation of security controls required by these policies.
Policy Mapping
| ISMS Policy | ISO 27001 Control | Document Section | Description |
|---|---|---|---|
| Information Security Policy | A.5.1 | All sections | Overarching security governance framework |
| Secure Development Policy | A.8.25, A.8.28 | News Generation Security Flow, CI/CD Security Pipeline | Secure coding practices, input validation, code review |
| Access Control Policy | A.5.15, A.5.18 | MCP Client Connection Security Flow | Authentication, authorization, least privilege |
| Vulnerability Management Policy | A.8.8 | Vulnerability Management Workflow | Vulnerability scanning, remediation, patch management |
| Incident Response Policy | A.5.24, A.5.25, A.5.26 | Incident Response Flow | Detection, response, recovery, post-incident review |
| Change Management Policy | A.8.32 | CI/CD Security Pipeline, Release Workflow | Controlled deployments, testing, approval gates |
| Cryptography Policy | A.8.24 | Content Delivery Security Flow, Deployment Security Flow | TLS 1.3, HTTPS-only, cryptographic signatures |
Key Security Principles Demonstrated
- Defense in Depth: Multiple security layers (validation, sanitization, encoding, CSP)
- Least Privilege: Minimal permissions for GitHub Actions, MCP connections
- Secure by Default: HTTPS-only, CSP enforcement, input validation at every stage
- Fail Secure: Fallback content on validation failures, graceful degradation
- Separation of Duties: Automated checks, required approvals, independent verification
- Continuous Monitoring: Dependabot, CodeQL, npm audit, health checks
- Incident Response: Defined severity levels, escalation paths, post-mortem reviews
- Supply Chain Security: SBOM generation, SLSA attestations, dependency scanning
Compliance Framework Coverage
- ISO 27001:2022: Controls A.5.1, A.5.15, A.5.18, A.5.24, A.5.25, A.5.26, A.8.8, A.8.24, A.8.25, A.8.28, A.8.32
- NIST CSF 2.0: Identify (ID.RA, ID.SC), Protect (PR.AC, PR.DS, PR.IP), Detect (DE.CM), Respond (RS.AN, RS.MI), Recover (RC.RP)
- CIS Controls v8.1: Controls 1, 4, 6, 8, 10, 16, 18
- GDPR: Article 25 (Data protection by design), Article 32 (Security of processing)
- NIS2 Directive: Risk management, incident handling, supply chain security
- EU Cyber Resilience Act: Secure by default, vulnerability disclosure, security updates
๐ News Generation Security Flow
The end-to-end agentic news generation flow spans gh-aw runtime, Stage AโE protocol, AI-First 2-pass analysis, Stage-C completeness gate, and safe-output PR creation. The 9 news workflows โ 8 article-generating (news-breaking, news-week-in-review, news-month-in-review, news-week-ahead, news-month-ahead, news-committee-reports, news-motions, news-propositions) + the manual news-translate helper โ all share this spine.
flowchart TD
Start["๐ Schedule / workflow_dispatch\nnews-{breaking,weekly,monthly,\nweek-ahead,month-ahead,\ncommittee-reports,motions,propositions}"] --> Sandbox["๐ก๏ธ Sandboxed Docker runner\nubuntu-latest 2-core\n120-min hard timeout\n(executes pre-compiled .lock.yml)"]
Sandbox --> MCPSetup["๐ก scripts/mcp-setup.sh\nEP_MCP_GATEWAY_URL=\nhttp://host.docker.internal:80\n/mcp/european-parliament"]
MCPSetup --> Firewall["๐ฅ AWF Squid firewall\nAllowlist-only egress"]
Firewall --> FetchStage["๐ฅ fetch-stage\nEP MCP 1.2.13 + WB MCP 1.0.1 + IMF REST"]
FetchStage --> EPAvail{"EP available?"}
EPAvail -->|"status:unavailable"| MCPRetry["๐ mcp-retry.ts\nExponential backoff"]
MCPRetry -->|Max retries| DegradeFetch["โ ๏ธ Continue with cached evidence"]
MCPRetry -->|Recovered| FetchStage
EPAvail -->|โ
items| EconomicGate{"OR-gate: WB OR IMF?"}
DegradeFetch --> EconomicGate
EconomicGate -->|Either OK| Transform["๐ Stage A: Normalise feeds\nUnavailable-envelope handling"]
EconomicGate -->|Both fail| AbortEcon["โ Stage-C completeness fail\n(no economic context)\nAbort PR"]
Transform --> Analysis["๐ค Stage B: Analysis\nAI-First 2-pass"]
Analysis --> Pass1["๐ Pass 1 (~60% budget)\nInitial artifact authoring"]
Pass1 --> Pass2["๐ Pass 2 (~40% budget)\nRead-back + improve\nโฅ80w/SWOT, โฅ150w/stakeholder,\nโฅ60% prose, โฅ1 Chart.js"]
Pass2 --> Intel["๐ Emit Stage-B artifacts\nintelligence/ + classification/\n+ risk-scoring/ + threat-assessment/\n(see analysis/templates/)"]
Intel --> Generate["๐๏ธ Stage D: Aggregator render\nsrc/aggregator/article-generator.ts\nDeterministic Markdown โ 14-lang HTML"]
Generate --> Output["๐พ Stage D: write outputs\nnews/<slug>(-<lang>).{md,html}\n+ Chart.js + JSON-LD + hreflang"]
Output --> Validator["โ
Stage C: editorial completeness\nreview against 03-analysis-completeness-gate.md"]
Validator --> LeakScan{"Fallback-leak scan\n(agent-side, see prompts/03)"}
LeakScan -->|โ Leak detected| AbortLeak["โ Abort PR\n[AI_ANALYSIS_REQUIRED] markers present"]
LeakScan -->|โ
Clean| ThresholdCheck{"Per-artifact line floors\n(reference-quality-thresholds.json)"}
ThresholdCheck -->|โ Below| AbortThresh["โ Abort PR\nInsufficient depth"]
ThresholdCheck -->|โ
Pass| SafeOutput["๐ฆ Stage E: safe-outputs create-pull-request\nmax-patch-size: 1024 KB (default)\n(news-translate.md: 10240 KB)"]
SafeOutput --> PR["๐ PR for human review"]
PR --> Merge["โ
Merge to main"]
AbortEcon --> End["๐จ Workflow failed"]
AbortLeak --> End
AbortThresh --> End
Merge --> Deploy["๐ See Deployment Flow"]
classDef startNode fill:#4CAF50,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef compileNode fill:#F48FB1,stroke:#AD1457,stroke-width:2px,color:#000000
classDef sandboxNode fill:#CE93D8,stroke:#6A1B9A,stroke-width:2px,color:#000000
classDef checkNode fill:#FFE082,stroke:#F57C00,stroke-width:2px,color:#000000
classDef analyzeNode fill:#90CAF9,stroke:#1565C0,stroke-width:2px,color:#000000
classDef errorNode fill:#EF9A9A,stroke:#D32F2F,stroke-width:2px,color:#000000
classDef validateNode fill:#A5D6A7,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef outputNode fill:#81C784,stroke:#2E7D32,stroke-width:2px,color:#000000
class Start startNode
class Compile,Sandbox compileNode
class MCPSetup,Firewall sandboxNode
class EPAvail,EconomicGate,LeakScan,ThresholdCheck checkNode
class Pass1,Pass2,Intel,Generate analyzeNode
class AbortEcon,AbortLeak,AbortThresh,End errorNode
class Validator,Output validateNode
class SafeOutput,PR,Merge,Deploy outputNode
Note โ gh-aw compile is out-of-band: The
.lock.ymlartifacts executed above are pre-compiled and committed to the repository. Compilation (gh aw compile --validatepinned toGH_AW_VERSION: v0.69.0) runs in the separate.github/workflows/compile-agentic-workflows.ymlworkflow (manualworkflow_dispatchonly) and is not part of any scheduled news-generation run. Scheduled news workflows invoke only the already-committed lock files; agent-authored.mdedits require a dedicated compile PR before they take effect.
Workflow & Aggregator References:
- ๐ค Agentic
.mdsources:.github/workflows/news-*.md - ๐ Compiled lock files:
.github/workflows/news-*.lock.yml - ๐ข Aggregator entry point:
src/aggregator/article-generator.ts - ๐ฆ Aggregator modules:
src/aggregator/{analysis-aggregator,artifact-order,clean-artifact,markdown-renderer,article-html,article-metadata}.ts - ๐ง Methodology library:
analysis/methodologies/(17 methodologies) - ๐ Quality thresholds:
analysis/methodologies/reference-quality-thresholds.json - โ๏ธ Stage-C completeness gate:
.github/prompts/03-analysis-completeness-gate.md
๐ Translation Fan-Out Flow (news-translate)
The news-translate workflow fans one EN source to 13 non-EN languages (sv da no fi de fr es nl ar he ja ko zh) with an elevated max-patch-size: 10240 KB to accommodate the multi-language PR diff.
flowchart LR
Trigger["๐ news-translate trigger\nafter EN article PR merged"] --> PreGate["๐ก๏ธ Pre-translation gate\nvalidate-analysis-completeness.js\nScans ALL EN sources"]
PreGate -->|"โ Any EN source fails"| Abort["๐ซ Abort fan-out"]
PreGate -->|"โ
All EN pass"| Fanout{"๐ Per-language fan-out\n13 targets"}
Fanout --> SV[๐ธ๐ช sv]
Fanout --> DA[๐ฉ๐ฐ da]
Fanout --> NO[๐ณ๐ด no]
Fanout --> FI[๐ซ๐ฎ fi]
Fanout --> DE[๐ฉ๐ช de]
Fanout --> FR[๐ซ๐ท fr]
Fanout --> ES[๐ช๐ธ es]
Fanout --> NL[๐ณ๐ฑ nl]
Fanout --> AR[๐ธ๐ฆ ar โ RTL]
Fanout --> HE[๐ฎ๐ฑ he โ RTL]
Fanout --> JA[๐ฏ๐ต ja]
Fanout --> KO[๐ฐ๐ท ko]
Fanout --> ZH[๐จ๐ณ zh]
SV & DA & NO & FI & DE & FR & ES & NL & AR & HE & JA & KO & ZH --> Validate["โ
axe-core + HTMLHint\nper language"]
Validate --> Commit["๐พ Commit per-language HTML\nbuildSiteFooter() localized"]
Commit --> PR["๐ฆ safe-outputs create-pull-request\nmax-patch-size: 10240 KB"]
PR --> Reconciler["๐งน news-translate-reconciler.yml\nCleanup + consolidation"]
Reconciler --> Done["โ
Multi-language PR ready"]
style Trigger fill:#4CAF50,stroke:#2E7D32
style PreGate fill:#90CAF9,stroke:#1565C0
style Fanout fill:#FFE082,stroke:#F57C00
style Validate fill:#A5D6A7,stroke:#2E7D32
style PR fill:#81C784,stroke:#2E7D32
style Abort fill:#EF9A9A,stroke:#D32F2F
๐ AWS S3 + CloudFront Deployment Flow
Post-merge, deploy-s3.yml uses GitHub OIDC to assume an AWS role (no long-lived keys) and syncs to S3 with CloudFront invalidation.
flowchart TD
Merge["๐ Merge to main"] --> Trigger["๐ deploy-s3.yml triggered"]
Trigger --> Prebuild["โ๏ธ npm run prebuild\nโ generate-news-indexes\nโ generate-sitemap"]
Prebuild --> Build["๐จ npm run build (tsc)\nTypeScript 6.0.3 compilation"]
Build --> OIDC["๐ GitHub OIDC โ AWS STS\nAssume S3 deploy role"]
OIDC --> Sync["๐ค aws s3 sync\nUpload changed files only\nVersioned bucket"]
Sync --> Invalidate["๐ aws cloudfront create-invalidation\nOnly changed paths\n(minimize billable requests)"]
Invalidate --> Health["๐ฅ Health check\nHTTPS + 14-language spot-check"]
Health -->|"โ
Healthy"| Complete["โ
Deployment complete\neuparliamentmonitor.com live"]
Health -->|"โ Failed"| Fallback["๐ GitHub Pages fallback\nper runbooks/github-pages-failover.md"]
Fallback --> Alert["๐ง Incident created"]
style Merge fill:#4CAF50,stroke:#2E7D32
style OIDC fill:#FFE082,stroke:#F57C00
style Sync fill:#90CAF9,stroke:#1565C0
style Invalidate fill:#90CAF9,stroke:#1565C0
style Complete fill:#81C784,stroke:#2E7D32
style Fallback fill:#FF9800,stroke:#F57C00
๐ฆ npm Publish Flow (Provenance + SLSA 3)
flowchart LR
Tag["๐ท๏ธ git tag v0.8.x"] --> Release["๐ release.yml"]
Release --> Semantic["๐ semantic-release\nChangelog + version bump"]
Semantic --> Build["๐จ npm run build"]
Build --> SBOM["๐ SPDX SBOM"]
SBOM --> Attest["๐ SLSA Level 3 attestation\nGitHub Attestations API"]
Attest --> Sign["๐ Sigstore signing"]
Sign --> Publish["๐ฆ npm publish --provenance"]
Publish --> Verify["โ
gh attestation verify"]
Verify --> Done["โ
Published with provenance"]
style Tag fill:#4CAF50,stroke:#2E7D32
style Attest fill:#F48FB1,stroke:#AD1457
style Sign fill:#F48FB1,stroke:#AD1457
style Publish fill:#81C784,stroke:#2E7D32
style Done fill:#81C784,stroke:#2E7D32
๐ Legacy Reference: News Generation Security Flow (pre-agentic)
Preserved for reference. The legacy path below was superseded by the agentic flow above on platform v0.8.x. Kept to document historical control genealogy.
flowchart TD
Start["๐ GitHub Actions Trigger\nSchedule: 06:00 UTC\nManual: workflow_dispatch"] --> CheckMCP{"๐ MCP Server\nAvailable?"}
CheckMCP -->|"โ
Yes"| ConnectMCP["๐ Connect to EP MCP Server\nstdio/localhost"]
CheckMCP -->|"โ No"| Fallback["โ ๏ธ Use Placeholder Content\nLog Error"]
ConnectMCP --> RetryCheck{"๐ Connection\nSuccessful?"}
RetryCheck -->|"โ No"| RetryCount{"Retry less than 3?"}
RetryCount -->|"โ
Yes"| BackoffWait["โณ Wait 30s\nBetween Retries"]
BackoffWait --> ConnectMCP
RetryCount -->|"โ No"| Fallback
RetryCheck -->|"โ
Yes"| FetchData["๐ฅ Fetch Parliamentary Data\nPlenary Sessions\nCommittee Meetings\nDocuments, Voting Records"]
FetchData --> ValidateSchema{"โ
Validate\nJSON Schema?"}
ValidateSchema -->|"โ Invalid"| LogError1["๐ Log Validation Error"] --> Fallback
ValidateSchema -->|"โ
Valid"| SanitizeHTML["๐งน Sanitize HTML"]
Fallback --> AgentContext
SanitizeHTML --> AgentContext["๐ค Copilot/LLM Agent\n5 legacy article types"]
AgentContext --> GenerateEN["๐ Generate English Content"]
GenerateEN --> Translate["๐ Translate to 13 languages"]
Translate --> GenHTML["๐ Generate Article HTML"]
GenHTML --> CommitPR["๐ฆ Commit and Create PR"]
CommitPR --> MergePR["๐ Merge PR"]
MergePR --> DeployPages["๐ Deploy to GitHub Pages"]
DeployPages --> Complete["โ
Generation Complete"]
๐ Input Validation Security Flow
flowchart TD
Input["๐ฅ External Input\nEuropean Parliament API\nUntrusted Data"] --> Layer1{"๐ก๏ธ Layer 1\nSchema Validation"}
Layer1 -->|"โ Invalid Structure"| Reject1["โ Reject Input\nLog: Invalid JSON\nUse Fallback"]
Layer1 -->|"โ
Valid Structure"| Layer2{"๐ก๏ธ Layer 2\nType Validation"}
Layer2 -->|"โ Wrong Types"| Reject2["โ Reject Input\nLog: Type Mismatch\nUse Fallback"]
Layer2 -->|"โ
Correct Types"| Layer3{"๐ก๏ธ Layer 3\nRange Validation"}
Layer3 -->|"โ Out of Bounds"| Reject3["โ Reject Input\nLog: Range Error\nUse Fallback"]
Layer3 -->|"โ
Within Bounds"| Layer4{"๐ก๏ธ Layer 4\nContent Sanitization"}
Layer4 --> StripScript["๐งน Strip Script Tags\nRemove script, iframe, object"]
StripScript --> RemoveEvents["๐งน Remove Event Handlers\nRemove onclick, onerror, onload"]
RemoveEvents --> ValidateURLs["๐ Validate URLs\nCheck Protocol\nSanitize Path"]
ValidateURLs --> Layer5{"๐ก๏ธ Layer 5\nHTML Encoding"}
Layer5 --> EncodeSpecial["๐ Encode Special Characters\nHTML Entity Encoding"]
EncodeSpecial --> Layer6{"๐ก๏ธ Layer 6\nCSP Compliance"}
Layer6 --> CheckCSP["โ
Check CSP Headers\nNo Inline Scripts\nNo Eval\nNo External Scripts"]
CheckCSP -->|"โ Violation"| Reject4["โ Block Content\nLog: CSP Violation\nReturn Error"]
CheckCSP -->|"โ
Compliant"| SafeOutput["โ
Safe Output\nValidated\nSanitized\nEncoded"]
Reject1 --> FallbackContent["โ ๏ธ Fallback Content\nPlaceholder Articles\nSafe Default"]
Reject2 --> FallbackContent
Reject3 --> FallbackContent
Reject4 --> FallbackContent
SafeOutput --> DeliverContent["๐ค Deliver to Template\nGenerate HTML\nServe to Users"]
FallbackContent --> DeliverContent
classDef inputNode fill:#FFE082,stroke:#F57C00,stroke-width:2px,color:#000000
classDef layerNode fill:#90CAF9,stroke:#1565C0,stroke-width:2px,color:#000000
classDef sanitizeNode fill:#A5D6A7,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef rejectNode fill:#EF9A9A,stroke:#D32F2F,stroke-width:2px,color:#000000
classDef successNode fill:#81C784,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef fallbackNode fill:#FFF9C4,stroke:#FFA000,stroke-width:2px,color:#000000
class Input inputNode
class Layer1,Layer2,Layer3,Layer4,Layer5,Layer6 layerNode
class StripScript,RemoveEvents,ValidateURLs,EncodeSpecial,CheckCSP sanitizeNode
class Reject1,Reject2,Reject3,Reject4 rejectNode
class SafeOutput,DeliverContent successNode
class FallbackContent fallbackNode
๐ค CI/CD Security Pipeline
flowchart TD
Trigger[๐ Git Event<br/>Push to PR<br/>Merge to Main] --> Checkout[๐ฅ Checkout Code<br/>SHA-Pinned Action<br/>actions/checkout@v4]
Checkout --> SetupNode[โ๏ธ Setup Node.js 25<br/>SHA-Pinned Action<br/>actions/setup-node@v6]
SetupNode --> InstallDeps[๐ฆ Install Dependencies<br/>npm ci<br/>Reproducible Build<br/>package-lock.json]
InstallDeps --> SecurityAudit{๐ npm audit<br/>Vulnerabilities?}
SecurityAudit -->|โ Moderate+| AuditFail[โ Security Audit Failed<br/>Block PR Merge<br/>Create Issue]
SecurityAudit -->|โ
None/Low| Lint[๐ ESLint<br/>Security Rules<br/>Code Quality<br/>Complexity Check]
Lint -->|โ Errors| LintFail[โ Lint Failed<br/>Block PR Merge<br/>Show Errors]
Lint -->|โ
Pass| Format[โจ Prettier Check<br/>Code Formatting<br/>Consistency]
Format -->|โ Not Formatted| FormatFail[โ Format Failed<br/>Run: npm run format<br/>Commit Changes]
Format -->|โ
Formatted| HTMLHint[๐ HTMLHint<br/>HTML Validation<br/>Standards Compliance]
HTMLHint -->|โ Errors| HTMLFail[โ HTML Failed<br/>Fix Issues<br/>Re-validate]
HTMLHint -->|โ
Pass| UnitTests[๐งช Unit Tests<br/>87 Tests<br/>Vitest]
UnitTests -->|โ Fail| TestFail[โ Tests Failed<br/>Block PR Merge<br/>Debug Failures]
UnitTests -->|โ
Pass| IntegrationTests[๐ Integration Tests<br/>82 Tests<br/>MCP Client Tests]
IntegrationTests -->|โ Fail| TestFail
IntegrationTests -->|โ
Pass| Coverage{๐ Code Coverage<br/>> 80% Lines?<br/>> 75% Branches?}
Coverage -->|โ Below Threshold| CoverageFail[โ Coverage Failed<br/>Add Tests<br/>Meet Threshold]
Coverage -->|โ
Above Threshold| CodeQL[๐ CodeQL SAST<br/>Security Analysis<br/>Vulnerability Detection]
CodeQL -->|โ Findings| CodeQLFail[โ CodeQL Failed<br/>Critical/High Issues<br/>Fix Vulnerabilities]
CodeQL -->|โ
Clean| BuildCheck[๐๏ธ Build Check<br/>News Generation<br/>Index Generation<br/>Sitemap Generation]
BuildCheck -->|โ Fail| BuildFail[โ Build Failed<br/>Check Logs<br/>Fix Errors]
BuildCheck -->|โ
Pass| Approve[โ
All Checks Passed<br/>Ready to Merge<br/>Deploy on Merge]
AuditFail --> End[โ Pipeline Failed]
LintFail --> End
FormatFail --> End
HTMLFail --> End
TestFail --> End
CoverageFail --> End
CodeQLFail --> End
BuildFail --> End
Approve --> End[โ
Pipeline Success]
style Trigger fill:#e8f5e9
style SecurityAudit fill:#ffe1e1
style Lint fill:#e1f5ff
style Format fill:#e1f5ff
style HTMLHint fill:#e1f5ff
style UnitTests fill:#e8f5e9
style IntegrationTests fill:#e8f5e9
style Coverage fill:#e1f5ff
style CodeQL fill:#ffe1e1
style BuildCheck fill:#e8f5e9
style Approve fill:#d4edda
style End fill:#d4edda
style AuditFail fill:#ffe1e1
style LintFail fill:#ffe1e1
style TestFail fill:#ffe1e1
style CodeQLFail fill:#ffe1e1
๐ MCP Client Connection Security Flow
flowchart TD
Start[๐ Initialize MCP Client<br/>Connection Parameters<br/>Retry Config] --> CheckEnv{๐ Check Environment<br/>USE_EP_MCP?}
CheckEnv -->|โ Disabled| DisabledMode[โ ๏ธ MCP Disabled<br/>Skip Connection<br/>Use Fallback]
CheckEnv -->|โ
Enabled| AttemptCount{๐ Attempt Count<br/>< Max Attempts?}
AttemptCount -->|โ Exceeded| MaxRetries[โ Max Retries Reached<br/>Log Error<br/>Use Fallback]
AttemptCount -->|โ
Within Limit| SpawnProcess[โ๏ธ Spawn MCP Process<br/>npx european-parliament-mcp-server<br/>stdio: pipe]
SpawnProcess --> WaitConnection[โณ Wait for Ready<br/>Startup Delay: 500ms<br/>Monitor stderr]
WaitConnection --> ConnectionCheck{โ
Connection<br/>Established?}
ConnectionCheck -->|โ Timeout| IncrementRetry[๐ Increment Counter<br/>Calculate Backoff<br/>2^n seconds]
IncrementRetry --> BackoffWait[โณ Exponential Backoff<br/>1s โ 2s โ 4s]
BackoffWait --> AttemptCount
ConnectionCheck -->|โ Process Error| ProcessError[โ Process Failed<br/>Log stderr<br/>Kill Process]
ProcessError --> IncrementRetry
ConnectionCheck -->|โ
Connected| SendHandshake[๐ค Send Initialize Request<br/>JSON-RPC 2.0<br/>List Available Tools]
SendHandshake --> HandshakeCheck{โ
Initialize<br/>Valid?}
HandshakeCheck -->|โ Invalid| HandshakeFail[โ Initialize Failed<br/>Protocol Mismatch<br/>Close Connection]
HandshakeFail --> IncrementRetry
HandshakeCheck -->|โ
Valid| Authenticated[โ
Connection Ready<br/>Reset Retry Counter<br/>Log Success]
Authenticated --> RequestLoop[๐ Request Loop<br/>Send Requests<br/>60s Timeout Per Request]
RequestLoop --> ValidateResponse{โ
Validate<br/>Response?}
ValidateResponse -->|โ Invalid| ResponseError[โ Invalid Response<br/>Log Error<br/>Retry Request]
ResponseError --> RetryRequest{Retry < 3?}
RetryRequest -->|โ
Yes| RequestLoop
RetryRequest -->|โ No| UseCached[โ ๏ธ Use Cached Data<br/>Or Fallback]
ValidateResponse -->|โ
Valid| ProcessData[โ
Process Data<br/>Parse Response<br/>Extract Fields]
DisabledMode --> End[๐ฏ Complete]
MaxRetries --> End
UseCached --> End
ProcessData --> End
style Start fill:#e8f5e9
style CheckEnv fill:#fff4e1
style AttemptCount fill:#e1f5ff
style SpawnProcess fill:#e8f5e9
style ConnectionCheck fill:#e1f5ff
style HandshakeCheck fill:#e1f5ff
style ValidateResponse fill:#e1f5ff
style Authenticated fill:#d4edda
style ProcessData fill:#d4edda
style DisabledMode fill:#fff3cd
style MaxRetries fill:#ffe1e1
style ProcessError fill:#ffe1e1
style HandshakeFail fill:#ffe1e1
style ResponseError fill:#ffe1e1
style End fill:#d4edda
๐ Content Delivery Security Flow
flowchart LR
subgraph "User Browser"
User[๐ค User<br/>Browser Request]
end
subgraph "GitHub Pages"
CDN[๐ GitHub CDN<br/>TLS 1.3<br/>HTTPS Only]
CACHE[๐พ Edge Cache<br/>Static Content<br/>Immutable]
end
subgraph "Security Headers"
HSTS[๐ HSTS<br/>max-age=31536000<br/>Force HTTPS]
CSP[๐ก๏ธ CSP<br/>default-src 'self'<br/>No Inline Scripts]
XCTO[๐ X-Content-Type-Options<br/>nosniff]
XFO[๐ซ X-Frame-Options<br/>DENY]
end
subgraph "Static Content"
HTML[๐ HTML<br/>Validated<br/>Sanitized]
CSS[๐จ CSS<br/>Inline Styles<br/>No External]
end
subgraph "Monitoring"
LOGS[๐ Access Logs<br/>GitHub Analytics]
METRICS[๐ Metrics<br/>Requests<br/>Response Time]
end
User -->|HTTPS Request| CDN
CDN -->|Check Cache| CACHE
CACHE -->|Hit| Return
CACHE -->|Miss| Fetch
Fetch[Fetch from Origin] --> HTML
HTML --> CSS
CSS --> Apply_Headers
Apply_Headers[Apply Security Headers] --> HSTS
Apply_Headers --> CSP
Apply_Headers --> XCTO
Apply_Headers --> XFO
HSTS --> Return[Return to User]
CSP --> Return
XCTO --> Return
XFO --> Return
CDN --> LOGS
Return --> METRICS
Return --> User
style User fill:#e1f5ff
style CDN fill:#f0f0f0
style CACHE fill:#e8f5e9
style HSTS fill:#ffe1e1
style CSP fill:#ffe1e1
style XCTO fill:#ffe1e1
style XFO fill:#ffe1e1
style HTML fill:#e8f5e9
style CSS fill:#e8f5e9
style Return fill:#d4edda
๐จ Incident Response Flow
flowchart TD
Detection[๐ Incident Detection<br/>Security Alert<br/>Dependabot<br/>CodeQL<br/>User Report] --> Classify{๐ Classify Severity<br/>CVSS Score<br/>Impact Assessment}
Classify -->|P0 Critical| Critical[๐จ P0: Critical<br/>Repository Compromise<br/>Malicious Content]
Classify -->|P1 High| High[โ ๏ธ P1: High<br/>XSS Vulnerability<br/>Dependency Issue]
Classify -->|P2 Medium| Medium[โน๏ธ P2: Medium<br/>Data Integrity<br/>Workflow Failure]
Classify -->|P3 Low| Low[๐ P3: Low<br/>Documentation<br/>Non-Critical Bug]
Critical --> ImmediateResponse[โก Immediate Response<br/>Disable Workflows<br/>Revert Commits<br/>Notify Team]
High --> UrgentResponse[๐ฅ Urgent Response<br/>Create Security Advisory<br/>Block PR Merges]
Medium --> StandardResponse[๐ Standard Response<br/>Create Issue<br/>Schedule Fix]
Low --> RoutineResponse[๐ Routine Response<br/>Add to Backlog<br/>Next Sprint]
ImmediateResponse --> Contain[๐ Containment<br/>Remove Malicious Content<br/>Isolate Compromised Code<br/>Revoke Tokens]
UrgentResponse --> Contain
StandardResponse --> Contain
RoutineResponse --> Contain
Contain --> Investigate[๐ Investigation<br/>Review Git Logs<br/>Check Actions Logs<br/>Analyze CodeQL Findings]
Investigate --> RootCause{๐ฏ Root Cause<br/>Identified?}
RootCause -->|โ No| DeepDive[๐ฌ Deep Analysis<br/>Forensics<br/>External Review]
DeepDive --> RootCause
RootCause -->|โ
Yes| Remediate[๐ง Remediation<br/>Apply Patches<br/>Update Dependencies<br/>Fix Vulnerabilities]
Remediate --> Test[๐งช Testing<br/>Unit Tests<br/>Integration Tests<br/>Security Scans]
Test -->|โ Fail| FixIssues[๐ ๏ธ Fix Issues<br/>Debug<br/>Re-apply Fixes]
FixIssues --> Remediate
Test -->|โ
Pass| Deploy[๐ Deploy Fix<br/>Merge PR<br/>GitHub Actions<br/>Update Documentation]
Deploy --> Verify[โ
Verification<br/>Monitor Metrics<br/>Check Logs<br/>Confirm Resolution]
Verify -->|โ Not Resolved| Escalate[โฌ๏ธ Escalate<br/>Senior Review<br/>External Help]
Escalate --> Investigate
Verify -->|โ
Resolved| Document[๐ Documentation<br/>Incident Report<br/>Lessons Learned<br/>Update Threat Model]
Document --> Communicate[๐ข Communication<br/>Security Advisory<br/>CHANGELOG.md<br/>Close Issue]
Communicate --> PostMortem[๐ Post-Mortem<br/>Team Review<br/>Process Improvements<br/>Update Procedures]
PostMortem --> Complete[โ
Incident Closed<br/>Controls Updated<br/>Metrics Recorded]
style Detection fill:#fff4e1
style Critical fill:#ffe1e1
style High fill:#fff3cd
style Medium fill:#e1f5ff
style Low fill:#f0f0f0
style Contain fill:#e8f5e9
style Remediate fill:#e8f5e9
style Deploy fill:#e8f5e9
style Complete fill:#d4edda
๐ก๏ธ Vulnerability Management Workflow
This workflow implements ISO 27001:2022 Control A.8.8 (Management of Technical Vulnerabilities) with defined severity levels and SLA-based remediation timelines.
flowchart TD
Discovery[๐ Vulnerability Discovery] --> Source{Discovery<br/>Source}
Source -->|Dependabot| DepAlert[๐ค Dependabot Alert<br/>Dependencies<br/>GitHub Security]
Source -->|CodeQL| CodeQLAlert[๐ CodeQL Finding<br/>SAST Scanning<br/>Security Issue]
Source -->|npm audit| AuditAlert[๐ฆ npm audit<br/>Package Vulnerabilities<br/>CVE Database]
Source -->|Manual| ManualReport[๐ค Manual Report<br/>Security Researcher<br/>User Report]
DepAlert --> Assess
CodeQLAlert --> Assess
AuditAlert --> Assess
ManualReport --> Assess
Assess[๐ Assessment Phase] --> CVSSScore{๐ฏ CVSS Score<br/>Calculation}
CVSSScore --> Exploit{๐ฌ Exploitability<br/>Analysis}
Exploit --> Impact{๐ฅ Impact<br/>Assessment}
Impact --> Prioritize{โก Prioritization}
Prioritize -->|Critical 9.0-10.0| Critical[๐จ P0: Critical<br/>SLA: 24 hours<br/>Remote Code Execution<br/>Data Breach Risk]
Prioritize -->|High 7.0-8.9| High[โ ๏ธ P1: High<br/>SLA: 7 days<br/>Privilege Escalation<br/>XSS/CSRF]
Prioritize -->|Medium 4.0-6.9| Medium[โน๏ธ P2: Medium<br/>SLA: 30 days<br/>Information Disclosure<br/>DoS]
Prioritize -->|Low 0.1-3.9| Low[๐ P3: Low<br/>SLA: 90 days<br/>Minor Issues<br/>Low Impact]
Critical --> EmergencyTeam[๐จ Emergency Response<br/>Notify Security Team<br/>Disable Affected Feature]
High --> UrgentAction[๐ฅ Urgent Action<br/>Create Security Advisory<br/>Block Deployments]
Medium --> StandardTrack[๐ Standard Track<br/>Create Issue<br/>Schedule Sprint]
Low --> BacklogAdd[๐ Backlog<br/>Log for Future<br/>Next Release]
EmergencyTeam --> Remediation
UrgentAction --> Remediation
StandardTrack --> Remediation
BacklogAdd --> Remediation
Remediation[๐ง Remediation Strategy] --> Strategy{Strategy<br/>Selection}
Strategy -->|Available| Patch[๐ฉน Apply Patch<br/>Update Dependency<br/>Upgrade Version]
Strategy -->|Not Available| Workaround[๐ Implement Workaround<br/>Code Changes<br/>Configuration Update]
Strategy -->|Not Feasible| Mitigate[๐ก๏ธ Mitigate Risk<br/>Additional Controls<br/>Monitoring]
Strategy -->|False Positive| Accept[โ
Accept Risk<br/>Document Rationale<br/>Security Exception]
Patch --> Testing
Workaround --> Testing
Mitigate --> Testing
Accept --> Document
Testing[๐งช Verification Testing] --> UnitTest[โ
Unit Tests<br/>169 Tests Pass]
UnitTest --> IntegTest[๐ Integration Tests<br/>82 Tests Pass]
IntegTest --> SecScan[๐ Security Scan<br/>CodeQL Clean<br/>npm audit Clean]
SecScan --> TestResult{Tests<br/>Pass?}
TestResult -->|โ Fail| FixFailed[๐ ๏ธ Fix Failed Tests<br/>Debug Issues<br/>Adjust Fix]
FixFailed --> Remediation
TestResult -->|โ
Pass| Deploy[๐ Deploy Fix<br/>Merge PR<br/>Production Release]
Deploy --> Verify[โ
Post-Deploy Verification] --> Rescan{Vulnerability<br/>Resolved?}
Rescan -->|โ Not Fixed| Escalate[โฌ๏ธ Escalate<br/>Senior Security Review<br/>External Consultation]
Escalate --> Remediation
Rescan -->|โ
Fixed| Document[๐ Documentation]
Document --> UpdateAdvisory[๐ Update Security Advisory<br/>CVE Details<br/>Remediation Steps]
UpdateAdvisory --> UpdateCHANGELOG[๐ Update CHANGELOG.md<br/>Security Fix Entry<br/>Version Bump]
UpdateCHANGELOG --> CloseIssue[๐ Close Issue<br/>Link to Commit<br/>Verification Evidence]
CloseIssue --> Metrics[๐ Update Metrics<br/>MTTR Calculation<br/>Vulnerability Stats]
Metrics --> Review[๐ Post-Fix Review<br/>Lessons Learned<br/>Process Improvement]
Review --> Complete[โ
Vulnerability Closed<br/>Evidence Recorded<br/>Controls Updated]
style Discovery fill:#fff4e1
style Critical fill:#ffe1e1
style High fill:#fff3cd
style Medium fill:#e1f5ff
style Low fill:#f0f0f0
style Patch fill:#e8f5e9
style Testing fill:#e1f5ff
style Deploy fill:#e8f5e9
style Complete fill:#d4edda
style Accept fill:#fff3cd
Vulnerability Management Security Controls
| Phase | Control | SLA | ISMS Reference |
|---|---|---|---|
| Discovery | Automated scanning (Dependabot, CodeQL, npm audit) | Continuous | ISO 27001 A.8.8 |
| Assessment | CVSS scoring, exploitability analysis | 24 hours | NIST SP 800-30 |
| Prioritization | Risk-based tiers with SLAs | By severity | ISO 27001 A.5.9 |
| Remediation | Patch/workaround/mitigate/accept | 24h-90d | ISO 27001 A.8.8 |
| Verification | Testing, scanning, deployment validation | Before close | ISO/IEC 27001:2013 A.14.2.8 |
| Documentation | Advisories, CHANGELOG, evidence | Required | ISO/IEC 27001:2013 A.12.1.1 |
| Metrics | MTTR, vulnerability stats tracking | Monthly | ISO/IEC 27001:2013 A.18.2.1 |
Mean Time to Remediate (MTTR) Targets:
- Critical (P0): 24 hours
- High (P1): 7 days
- Medium (P2): 30 days
- Low (P3): 90 days
๐ MCP Data Integration Security Flow
This flow shows the end-to-end secure data pipeline from European Parliament APIs through the MCP server to static site generation, with comprehensive security controls at each stage.
flowchart TD
subgraph "European Parliament APIs"
EPAPI["๐๏ธ EP Official APIs\nMEPs, Sessions\nDocuments, Votes"]
end
subgraph "MCP Server Layer"
MCPServer["โ๏ธ EP MCP Server\neuropean-parliament-mcp-server\nNode.js 25"]
MCPTransport["๐ก JSON-RPC 2.0\nstdio Transport\nProtocol v1.0"]
MCPCache["๐พ LRU Cache\nTTL: 5 min\nMax: 500 entries"]
end
subgraph "Client Layer"
MCPClient["๐ MCP Client\nCustom JSON-RPC over stdio\nsrc/mcp/ep-mcp-client.ts"]
SchemaVal["๐งช Planned: Schema Validation\nJSON Schema\nType Checking"]
TypeCheck["๐ Planned: Type Validation\nTypeScript Interfaces\nRuntime Checks"]
end
subgraph "Sanitization Pipeline"
HTMLSan["๐งน Planned: HTML Sanitizer\nDOMPurify\nStrip Scripts"]
XSSEncode["๐ Planned: XSS Encoding\nHTML Entities"]
URLVal["๐ Planned: URL Validation\nHTTPS Only\nDomain Whitelist"]
LengthCheck["๐ Planned: Length Validation\nMax Lengths\nTruncation"]
end
subgraph "Content Generation"
Template["๐ Template Engine\n14 Languages\nHTML5"]
CSPCheck["๐ก๏ธ CSP Compliance\nJSON-LD Allowed\nNo eval"]
HTMLVal["โ
HTML Validation\nhtmlhint\nStandards Check"]
end
subgraph "Output Layer"
StaticFiles["๐ฆ Static HTML\nindex-LANG.html\nCSS Inline"]
Sitemap["๐บ๏ธ Sitemap.xml\nSEO Optimized\n14 Languages"]
Deploy["๐ GitHub Pages\nStatic Site Hosting\nGitHub Actions Deploy"]
end
subgraph "Error Handling"
FallbackData["โ ๏ธ Fallback Content\nPlaceholder Articles\nSafe Defaults"]
ErrorLog["๐ Error Logging\nStructured Logs\nGitHub Actions"]
end
EPAPI -->|HTTPS Request| MCPServer
MCPServer --> MCPTransport
MCPTransport --> MCPCache
MCPCache -->|Cache Hit| ReturnCached["โ
Return Cached\nSkip API Call"]
MCPCache -->|Cache Miss| FetchFresh["๐ฅ Fetch Fresh\nCall EP API"]
ReturnCached --> MCPClient
FetchFresh --> MCPClient
MCPClient --> SchemaVal
SchemaVal -->|"โ Invalid"| ErrorLog
SchemaVal -->|"โ
Valid"| TypeCheck
TypeCheck -->|"โ Invalid"| ErrorLog
TypeCheck -->|"โ
Valid"| HTMLSan
ErrorLog --> FallbackData
FallbackData --> Template
HTMLSan --> XSSEncode
XSSEncode --> URLVal
URLVal --> LengthCheck
LengthCheck --> Template
Template --> CSPCheck
CSPCheck -->|"โ Violation"| ErrorLog
CSPCheck -->|"โ
Compliant"| HTMLVal
HTMLVal -->|"โ Invalid"| FixHTML["๐ง Auto-Fix HTML\nCorrect Issues"]
FixHTML --> HTMLVal
HTMLVal -->|"โ
Valid"| StaticFiles
StaticFiles --> Sitemap
Sitemap --> Deploy
Deploy --> CDN["๐ GitHub CDN\nEdge Caching\nGlobal Distribution"]
classDef apiNode fill:#BBDEFB,stroke:#1565C0,stroke-width:2px,color:#000000
classDef mcpNode fill:#F0F4C3,stroke:#827717,stroke-width:2px,color:#000000
classDef clientNode fill:#C8E6C9,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef sanitizeNode fill:#FFF9C4,stroke:#FFA000,stroke-width:2px,color:#000000
classDef errorNode fill:#FFCDD2,stroke:#D32F2F,stroke-width:2px,color:#000000
classDef outputNode fill:#A5D6A7,stroke:#2E7D32,stroke-width:2px,color:#000000
classDef deployNode fill:#81C784,stroke:#2E7D32,stroke-width:2px,color:#000000
class EPAPI apiNode
class MCPServer,MCPTransport,MCPCache mcpNode
class MCPClient,SchemaVal,TypeCheck clientNode
class HTMLSan,XSSEncode,URLVal,LengthCheck sanitizeNode
class FallbackData,ErrorLog errorNode
class Template,CSPCheck,HTMLVal,StaticFiles,Sitemap outputNode
class Deploy,CDN deployNode
Data Integration Security Controls
| Layer | Control | Purpose | Implementation |
|---|---|---|---|
| API Layer | HTTPS-only communication | Encryption in transit | TLS 1.3, HTTPS-only, HSTS via CDN/hosting config |
| MCP Server | JSON-RPC 2.0 protocol | Structured communication | Standard protocol implementation |
| Caching | LRU cache with TTL | Performance + resilience | 5 min TTL, 500 entry max |
| Schema Validation | JSON Schema enforcement (future control) | Data structure integrity | Planned: Ajv validator (strict mode), not yet implemented in codebase |
| Type Checking | Runtime type validation (future control) | Type safety beyond TypeScript | Planned: io-ts runtime checks, not yet implemented in codebase |
| HTML Sanitization | Planned: DOMPurify scrubbing (future control) | XSS prevention | Not yet in codebase; current: HTML entity encoding via template |
| XSS Encoding | HTML entity encoding (future control) | Output encoding | Planned: template-level encoding for all user-controlled data, not yet implemented in codebase |
| URL Validation | HTTPS + whitelist (future control) | Prevent malicious redirects | Planned: HTTPS-only + europarl.europa.eu allowlist for article/source URLs, not yet implemented in codebase |
| CSP Enforcement | JSON-LD inline scripts allowed; no eval() | XSS mitigation | default-src 'self'; script-src allows type=application/ld+json |
| HTML Validation | Standards compliance | Cross-browser compatibility | htmlhint, W3C validation |
| Fallback Content | Graceful degradation | Availability | Placeholder articles |
| Error Logging | Structured logging | Debugging + monitoring | GitHub Actions logs |
๐ Multi-Language Content Generation Workflow
This workflow illustrates the full CI/CD content generation and validation pipeline for European Parliament news in 14 languages (PR/test-and-report.yml and release.yml). The scheduled daily .github/workflows/news-generation.yml job only runs the generate-and-commit subset (no HTML/SEO/a11y validation loop).
flowchart TD
Start["๐ Content Generation\nCI/CD: PRs / Releases\nDaily 06:00 UTC"] --> FetchData["๐ฅ Fetch Source Data\nEP MCP Server\nValidated JSON"]
FetchData --> LangDetect{โ๏ธ Language Args &<br/>Preset Expansion}
LangDetect --> EN[๐ฌ๐ง English<br/>index.html]
LangDetect --> SV[๐ธ๐ช Swedish<br/>index-sv.html]
LangDetect --> DA[๐ฉ๐ฐ Danish<br/>index-da.html]
LangDetect --> NO[๐ณ๐ด Norwegian<br/>index-no.html]
LangDetect --> FI[๐ซ๐ฎ Finnish<br/>index-fi.html]
LangDetect --> DE[๐ฉ๐ช German<br/>index-de.html]
LangDetect --> FR[๐ซ๐ท French<br/>index-fr.html]
LangDetect --> ES[๐ช๐ธ Spanish<br/>index-es.html]
LangDetect --> NL[๐ณ๐ฑ Dutch<br/>index-nl.html]
LangDetect --> AR[๐ธ๐ฆ Arabic<br/>index-ar.html]
LangDetect --> HE[๐ฎ๐ฑ Hebrew<br/>index-he.html]
LangDetect --> JA[๐ฏ๐ต Japanese<br/>index-ja.html]
LangDetect --> KO[๐ฐ๐ท Korean<br/>index-ko.html]
LangDetect --> ZH[๐จ๐ณ Chinese<br/>index-zh.html]
EN --> ENTemplate[๐ EN Template<br/>HTML5 Structure<br/>Semantic Tags]
SV --> SVTemplate[๐ SV Template<br/>HTML5 Structure<br/>Semantic Tags]
DA --> DATemplate[๐ DA Template<br/>HTML5 Structure<br/>Semantic Tags]
NO --> NOTemplate[๐ NO Template<br/>HTML5 Structure<br/>Semantic Tags]
FI --> FITemplate[๐ FI Template<br/>HTML5 Structure<br/>Semantic Tags]
DE --> DETemplate[๐ DE Template<br/>HTML5 Structure<br/>Semantic Tags]
FR --> FRTemplate[๐ FR Template<br/>HTML5 Structure<br/>Semantic Tags]
ES --> ESTemplate[๐ ES Template<br/>HTML5 Structure<br/>Semantic Tags]
NL --> NLTemplate[๐ NL Template<br/>HTML5 Structure<br/>Semantic Tags]
AR --> ARTemplate[๐ AR Template<br/>HTML5 Structure<br/>RTL Support]
HE --> HETemplate[๐ HE Template<br/>HTML5 Structure<br/>RTL Support]
JA --> JATemplate[๐ JA Template<br/>HTML5 Structure<br/>Semantic Tags]
KO --> KOTemplate[๐ KO Template<br/>HTML5 Structure<br/>Semantic Tags]
ZH --> ZHTemplate[๐ ZH Template<br/>HTML5 Structure<br/>Semantic Tags]
ENTemplate --> ENSecCheck[๐ EN Security<br/>Sanitize + Validate]
SVTemplate --> SVSecCheck[๐ SV Security<br/>Sanitize + Validate]
DATemplate --> DASecCheck[๐ DA Security<br/>Sanitize + Validate]
NOTemplate --> NOSecCheck[๐ NO Security<br/>Sanitize + Validate]
FITemplate --> FISecCheck[๐ FI Security<br/>Sanitize + Validate]
DETemplate --> DESecCheck[๐ DE Security<br/>Sanitize + Validate]
FRTemplate --> FRSecCheck[๐ FR Security<br/>Sanitize + Validate]
ESTemplate --> ESSecCheck[๐ ES Security<br/>Sanitize + Validate]
NLTemplate --> NLSecCheck[๐ NL Security<br/>Sanitize + Validate]
ARTemplate --> ARSecCheck[๐ AR Security<br/>Sanitize + Validate]
HETemplate --> HESecCheck[๐ HE Security<br/>Sanitize + Validate]
JATemplate --> JASecCheck[๐ JA Security<br/>Sanitize + Validate]
KOTemplate --> KOSecCheck[๐ KO Security<br/>Sanitize + Validate]
ZHTemplate --> ZHSecCheck[๐ ZH Security<br/>Sanitize + Validate]
ENSecCheck --> Aggregate
SVSecCheck --> Aggregate
DASecCheck --> Aggregate
NOSecCheck --> Aggregate
FISecCheck --> Aggregate
DESecCheck --> Aggregate
FRSecCheck --> Aggregate
ESSecCheck --> Aggregate
NLSecCheck --> Aggregate
ARSecCheck --> Aggregate
HESecCheck --> Aggregate
JASecCheck --> Aggregate
KOSecCheck --> Aggregate
ZHSecCheck --> Aggregate
Aggregate[๐ Aggregate Results<br/>14 Language Indexes<br/>Collect Metadata] --> MainIndex[๐ Generate Main Index<br/>index.html<br/>Language Selector]
MainIndex --> Sitemap[๐บ๏ธ Generate Sitemap<br/>sitemap.xml<br/>All 14 Languages]
Sitemap --> ValidateAll{โ
Validate<br/>All Files?}
ValidateAll -->|โ Validation Errors| ShowErrors[โ Show Errors<br/>htmlhint Output<br/>Line Numbers]
ShowErrors --> FixErrors[๐ง Auto-Fix<br/>Common Issues<br/>Re-validate]
FixErrors --> ValidateAll
ValidateAll -->|โ
All Valid| A11yCheck[โฟ Accessibility Check<br/>WCAG 2.1 AA<br/>E2E Workflow Only]
A11yCheck -->|โ A11y Issues| FixA11y[๐ง Fix A11y<br/>Add lang Attributes<br/>Alt Text]
FixA11y --> A11yCheck
A11yCheck -->|โ
Compliant| SEOCheck[๐ SEO Validation<br/>Meta Tags<br/>hreflang Links<br/>Release Workflow Only]
SEOCheck --> Complete[โ
Generation Complete<br/>14 Languages<br/>Ready to Deploy]
style Start fill:#e3f2fd
style LangDetect fill:#fff4e1
style EN fill:#e8f5e9
style FR fill:#e8f5e9
style DE fill:#e8f5e9
style ES fill:#e8f5e9
style IT fill:#e8f5e9
style PT fill:#e8f5e9
style ENSecCheck fill:#ffe1e1
style FRSecCheck fill:#ffe1e1
style DESecCheck fill:#ffe1e1
style ESSecCheck fill:#ffe1e1
style ITSecCheck fill:#ffe1e1
style PTSecCheck fill:#ffe1e1
style Aggregate fill:#e1f5ff
style MainIndex fill:#c8e6c9
style Sitemap fill:#c8e6c9
style Complete fill:#d4edda
Multi-Language Security Controls
| Control | Applied to | Purpose | Standard |
|---|---|---|---|
| HTML Sanitization | All 14 languages | XSS prevention | OWASP ASVS 5.3 |
| HTML Entity Encoding | All 14 languages | Output encoding | OWASP ASVS 5.2 |
| HTML Validation | All 14 languages | Standards compliance | W3C HTML5 |
| Language Attributes | All 14 languages | Accessibility | WCAG 2.1 AA 3.1.1 |
| hreflang Links | All 14 languages | SEO, crawling | Google Guidelines |
| CSP Headers | All 14 languages | Script execution control | OWASP CSP |
| Character Encoding | All 14 languages | UTF-8 declaration | HTML5 Standard |
| Text Direction Handling | All 14 languages (LTR/RTL) | Ensure correct text direction rendering | HTML dir attribute / W3C HTML5 |
Supported Languages:
- ๐ฌ๐ง English (en) - Primary
- ๐ธ๐ช Swedish (sv) - Nordic
- ๐ฉ๐ฐ Danish (da) - Nordic
- ๐ณ๐ด Norwegian (no) - Nordic
- ๐ซ๐ฎ Finnish (fi) - Nordic
- ๐ฉ๐ช German (de) - European
- ๐ซ๐ท French (fr) - European
- ๐ช๐ธ Spanish (es) - European
- ๐ณ๐ฑ Dutch (nl) - European
- ๐ธ๐ฆ Arabic (ar) - RTL
- ๐ฎ๐ฑ Hebrew (he) - RTL
- ๐ฏ๐ต Japanese (ja) - East Asian
- ๐ฐ๐ท Korean (ko) - East Asian
- ๐จ๐ณ Chinese (zh) - East Asian
๐ Deployment Security Flow
This flow shows the secure deployment pipeline from Git commit to GitHub Pages with comprehensive security gates, SBOM generation, and SLSA attestations. Note: linting, testing, and coverage gates apply to PR merges and release workflows; the daily news-generation workflow triggers GitHub Pages deployment directly after build.
flowchart TD
Commit[๐พ Git Commit<br/>Developer Push<br/>Feature Branch] --> SHAVerify[๐ SHA Verification<br/>Git Integrity Check<br/>GPG Signature]
SHAVerify --> GHActions[๐ค GitHub Actions<br/>Workflow Trigger<br/>ubuntu-latest]
GHActions --> SecGates[๐ก๏ธ Security Gates<br/>PR & Release Workflows] --> Gate1{Gate 1:<br/>Linting}
Gate1 -->|โ Fail| BlockDeploy1[๐ซ Block PR / Release<br/>ESLint Errors<br/>Fix Required]
Gate1 -->|โ
Pass| Gate2{Gate 2:<br/>Unit Tests}
Gate2 -->|โ Fail| BlockDeploy2[๐ซ Block PR / Release<br/>169 Tests Failed<br/>Debug Required]
Gate2 -->|โ
Pass| Gate3{Gate 3:<br/>Integration Tests}
Gate3 -->|โ Fail| BlockDeploy3[๐ซ Block PR / Release<br/>82 Tests Failed<br/>Fix Required]
Gate3 -->|โ
Pass| Gate4{Gate 4:<br/>Security Scan}
Gate4 -->|โ Critical/High| BlockDeploy4[๐ซ Block PR / Release<br/>CodeQL Issues<br/>Vulnerability Fix]
Gate4 -->|โ
Pass| Gate5{Gate 5:<br/>Coverage}
Gate5 -->|โ Below 80%| BlockDeploy5[๐ซ Block PR / Release<br/>Coverage Too Low<br/>Add Tests]
Gate5 -->|โ
Pass| Build[๐๏ธ Build Phase]
Build --> GenNews[๐ฐ Generate News<br/>14 Languages<br/>All Article Types]
GenNews --> GenIndex[๐ Generate Indexes<br/>Language Indexes<br/>Main Index]
GenIndex --> GenSitemap[๐บ๏ธ Generate Sitemap<br/>sitemap.xml<br/>SEO Optimization]
GenSitemap --> SBOM[๐ฆ SBOM Generation<br/>SPDX Format<br/>All Dependencies]
SBOM --> Attest1[๐ Build Provenance<br/>SLSA Level 3<br/>GitHub Attestations]
Attest1 --> Attest2[๐ SBOM Attestation<br/>Cryptographic Sign<br/>Sigstore]
Attest2 --> Artifacts[๐ฆ Collect Artifacts<br/>HTML Files<br/>CSS Files<br/>Sitemap<br/>SBOM]
Artifacts --> DeployPrep[๐ Deployment Prep<br/>Organize Files<br/>Check Integrity]
DeployPrep --> DeployGHP[๐ค Deploy to GitHub Pages<br/>Static Files<br/>actions/deploy-pages]
DeployGHP --> GHPages[๐ GitHub Pages Live<br/>GitHub CDN<br/>Global Distribution]
GHPages --> HealthCheck{๐ฅ Health Check<br/>Site Accessible?}
HealthCheck -->|โ Failed| Rollback[๐ Rollback<br/>Revert to Previous<br/>Restore Last Good]
Rollback --> NotifyFailure[๐ง Notify Team<br/>Deployment Failed<br/>Incident Created]
HealthCheck -->|โ
Success| Verify[โ
Verification Phase] --> CheckHTTPS{HTTPS<br/>Working?}
CheckHTTPS -->|โ No| Rollback
CheckHTTPS -->|โ
Yes| CheckContent{Content<br/>Loads?}
CheckContent -->|โ No| Rollback
CheckContent -->|โ
Yes| CheckLangs{All 14<br/>Languages?}
CheckLangs -->|โ Missing| Rollback
CheckLangs -->|โ
Present| CheckSitemap{Sitemap<br/>Valid?}
CheckSitemap -->|โ Invalid| Rollback
CheckSitemap -->|โ
Valid| UpdateMetrics[๐ Update Metrics<br/>Deployment Time<br/>Build Duration<br/>Success Rate]
UpdateMetrics --> TagRelease[๐ท๏ธ Tag Release<br/>Git Tag<br/>Version Bump<br/>Create GitHub Release]
TagRelease --> NotifySuccess[๐ง Notify Team<br/>Deployment Successful<br/>Version + URL]
NotifySuccess --> Complete[โ
Deployment Complete<br/>Live on GitHub Pages<br/>Attested + Verified]
style Commit fill:#e3f2fd
style SHAVerify fill:#ffe1e1
style Gate1 fill:#e1f5ff
style Gate2 fill:#e1f5ff
style Gate3 fill:#e1f5ff
style Gate4 fill:#ffe1e1
style Gate5 fill:#e1f5ff
style BlockDeploy1 fill:#ffcdd2
style BlockDeploy2 fill:#ffcdd2
style BlockDeploy3 fill:#ffcdd2
style BlockDeploy4 fill:#ffcdd2
style BlockDeploy5 fill:#ffcdd2
style SBOM fill:#fff9c4
style Attest1 fill:#ffe1e1
style Attest2 fill:#ffe1e1
style DeployGHP fill:#c8e6c9
style GHPages fill:#e8f5e9
style Rollback fill:#ffcdd2
style Complete fill:#d4edda
Deployment Security Controls
| Stage | Control | Purpose | Implementation |
|---|---|---|---|
| Commit | SHA verification, GPG signatures | Code integrity | Git built-in |
| Linting | ESLint security rules | Code quality, vulnerabilities | eslint-plugin-security |
| Unit Tests | 169 tests, 82%+ coverage | Functional correctness | Vitest |
| Integration Tests | 82 MCP client tests | API contract validation | Vitest + custom JSON-RPC MCP client |
| Security Scan | CodeQL SAST | Vulnerability detection | GitHub CodeQL |
| Coverage Gate | 80% lines, 75% branches | Test thoroughness | Vitest v8 provider (@vitest/coverage-v8) |
| SBOM | SPDX JSON format | Supply chain transparency | Anchore SBOM Action |
| Provenance | SLSA Level 3 | Build integrity | GitHub Attestations |
| Attestation | Cryptographic signing | Artifact authenticity | Sigstore |
| Health Check | Multi-point verification | Deployment validation | Custom checks |
| Rollback | Automated revert | Failure recovery | Git + GitHub Pages re-deploy |
| Metrics | Deployment tracking | Performance monitoring | GitHub Actions logs |
Deployment Security Requirements:
- โ All security gates must pass (no critical/high vulnerabilities)
- โ SBOM generated and attested for every deployment
- โ SLSA Level 3 provenance attestation required
- โ Health checks must pass before declaring success
- โ Automatic rollback on any verification failure
- โ Team notification on success/failure
- โ Deployment metrics recorded for audit trail
๐ Release Workflow with Documentation Automation
This comprehensive flow shows the automated release process with SLSA Level 3 attestations and documentation-as-code implementation.
flowchart TD
Start[๐ Release Trigger<br/>Manual or Tag Push] --> Prepare[๐ Prepare Job]
Prepare --> Lint[๐ Run Linter<br/>ESLint Validation]
Lint --> HTMLVal[โ
Validate HTML<br/>htmlhint]
HTMLVal --> Coverage[๐ Run Tests with Coverage<br/>169 Unit Tests<br/>82%+ Coverage]
Coverage --> CoverageCheck{Coverage<br/>Thresholds?}
CoverageCheck -->|โ Fail| Fail1[โ Build Failed]
CoverageCheck -->|โ
Pass| E2E[๐ญ Run E2E Tests<br/>Playwright Chromium]
E2E --> E2ECheck{E2E Tests<br/>Pass?}
E2ECheck -->|โ Fail| Fail2[โ Build Failed]
E2ECheck -->|โ
Pass| CleanDocs[๐งน Clean Old Documentation<br/>Remove docs/api, coverage, test-results]
CleanDocs --> GenAPI[๐ Generate API Documentation<br/>JSDoc โ docs/api/<br/>52 files]
GenAPI --> CopyReports[๐ Copy Test Reports<br/>Coverage โ docs/coverage/<br/>Test Results โ docs/test-results/]
CopyReports --> GenIndex[๐จ Generate Documentation Index<br/>Beautiful Hub Page<br/>docs/index.html]
GenIndex --> VerifyDocs{Verify<br/>Documentation<br/>Structure?}
VerifyDocs -->|โ Missing Files| Fail3[โ Build Failed]
VerifyDocs -->|โ
Complete| CommitDocs[๐พ Commit Documentation<br/>Git Auto-Commit<br/>To Main Branch]
CommitDocs --> TagVersion{Workflow<br/>Dispatch?}
TagVersion -->|โ
Yes| CreateTag[๐ท๏ธ Create Version Tag<br/>npm version + git tag]
TagVersion -->|โ No| Build[๐จ Build Job]
CreateTag --> Build
Build --> Checkout2[๐ฅ Checkout at Tag]
Checkout2 --> GenNews{News<br/>Directory<br/>Empty?}
GenNews -->|โ
Yes| SampleNews[๐ฐ Generate Sample News<br/>Week Ahead Articles]
GenNews -->|โ No| CreateArtifact
SampleNews --> CreateArtifact[๐ฆ Create Release Artifacts<br/>Include docs/, playwright-report/<br/>ZIP Archive]
CreateArtifact --> GenSBOM[๐ Generate SBOM<br/>SPDX JSON Format<br/>Anchore SBOM Action]
GenSBOM --> BuildProv[๐ Build Provenance Attestation<br/>SLSA Level 3<br/>GitHub Attestations API]
BuildProv --> SBOMAttest[๐ SBOM Attestation<br/>Cryptographic Signing]
SBOMAttest --> UploadArtifacts[๐ค Upload All Artifacts<br/>Build + Security Artifacts]
UploadArtifacts --> Release[๐ Release Job]
Release --> DraftNotes[๐ Draft Release Notes<br/>Release Drafter]
DraftNotes --> CreateRelease[๐ Create GitHub Release<br/>Attach All Artifacts]
CreateRelease --> Verify{Verification<br/>Required?}
Verify -->|โ
Yes| VerifyCmd[๐ Verify Attestations<br/>gh attestation verify]
Verify -->|โ No| Complete[โ
Release Complete<br/>Documentation Published<br/>Artifacts Attested]
VerifyCmd --> Complete
style Start fill:#e3f2fd
style Prepare fill:#f0f4c3
style Lint fill:#e1f5ff
style Coverage fill:#e1f5ff
style E2E fill:#e1f5ff
style CleanDocs fill:#fff9c4
style GenAPI fill:#c8e6c9
style CopyReports fill:#c8e6c9
style GenIndex fill:#c8e6c9
style CommitDocs fill:#a5d6a7
style Build fill:#f0f4c3
style GenSBOM fill:#ffe1e1
style BuildProv fill:#ffe1e1
style SBOMAttest fill:#ffe1e1
style Release fill:#f0f4c3
style CreateRelease fill:#c5cae9
style Complete fill:#c8e6c9
style Fail1 fill:#ffcdd2
style Fail2 fill:#ffcdd2
style Fail3 fill:#ffcdd2
Release Workflow Security Controls
| Stage | Control | Purpose | ISMS Reference |
|---|---|---|---|
| Validation | Linter + HTML validation | Code quality, syntax errors | Quality standards |
| Testing | 169 unit tests, 82%+ coverage | Functional correctness | ยง3.3 Testing Requirements |
| E2E Testing | Playwright across browsers | User workflow validation | Quality assurance |
| Documentation | JSDoc, coverage, E2E reports | Evidence generation | ยง3.2 Architecture Documentation |
| Version Control | Git commit + tag | Audit trail, traceability | ISO 27001 A.12.1.1 |
| SBOM Generation | SPDX format, all dependencies | Supply chain transparency | ยง4.4 Supply Chain Security |
| Build Provenance | SLSA Level 3 attestation | Build integrity | SLSA Framework |
| SBOM Attestation | Cryptographic signing | Artifact authenticity | Non-repudiation |
| Verification | gh attestation verify | Release validation | Trust establishment |
Documentation-as-Code Benefits
Integrity:
- โ Generated automatically from code and tests
- โ Version controlled with full git history
- โ Reproducible from any release tag
- โ Part of attested release artifacts
Transparency:
- โ Public access via GitHub Pages
- โ Real-time updates with every release
- โ Complete test coverage visibility
- โ API documentation always current
Compliance:
- โ ISMS ยง3.2 architecture documentation requirement
- โ ISO 27001 A.12.1.1 documented procedures
- โ Audit trail for all documentation changes
- โ Eliminates documentation drift
ISMS Evidence
- Workflow: release.yml
- Documentation: docs/index.html
- Process Guide: docs/RELEASE_PROCESS.md
- Workflow Documentation: WORKFLOWS.md
- Attestations: GitHub Attestations
- Policy: ISMS Secure Development ยง3.2
๐ References
Internal Documentation
- SECURITY_ARCHITECTURE.md - Security architecture and threat model
- WORKFLOWS.md - Current CI/CD workflows
- FUTURE_WORKFLOWS.md - Planned enhancements
- DATA_MODEL.md - Data structures and schemas
- ARCHITECTURE.md - System architecture and C4 models
ISMS Policies (Hack23)
- Information Security Policy - Overarching security governance
- Secure Development Policy - Secure coding practices
- Access Control Policy - Authentication and authorization
- Vulnerability Management Policy - Vulnerability handling
- Incident Response Policy - Incident management
Standards and Frameworks
- ISO 27001:2022 - Information security management
- NIST Incident Response (SP 800-61) - Incident handling
- NIST CSF 2.0 - Cybersecurity Framework
- CIS Controls v8.1 - Security best practices
- OWASP Testing Guide - Security testing
- OWASP ASVS - Application security verification
- SLSA Framework - Supply chain security
- GDPR - Data protection regulation
- NIS2 Directive - Network and information security
Tools and Technologies
- GitHub Actions Security - CI/CD security
- CodeQL - Semantic code analysis
- Dependabot - Dependency management
- Sigstore - Artifact signing
- SPDX - Software bill of materials
Document Status: Active
Next Review: 2026-07-20
Owner: Development Team, Hack23 AB
Classification: Public
Version: 1.2