Trustable Compliance Report
Item status guide
Each item in a Trustable Graph is scored with a number between 0 and 1. The score represents aggregated organizational confidence in a given Statement, with larger numbers corresponding to higher confidence. Scores in the report are indicated by both a numerical score and the colormap below:
1.00
0.00
The status of an item and its links also affect the score.
Unreviewed items are indicated by a cross in the status column. The score of unreviewed items is always set to zero.
Suspect links are indicated by a cross in the status column. The contribution to the score of a parent item by a suspiciously linked child is always zero, regardless of the child's own score.
Compliance for PSA_NG
| Item | Summary | Score | Score Origin | Status |
|---|---|---|---|---|
| PSA_NG-CHANGE_MANAGEMENT | All changes to psa-ng are tracked via version-controlled commits, dependency updates are managed through Cargo, and bug fixes are verified by the existing test suite before release. | 0.60 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-BUILD_RELEASE | The psa-ng project is built from source using Cargo with stable Rust, runs automated tests and clippy linting in CI, and produces release artifacts via a GitHub Actions workflow triggered by version tags. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-CONTAINER_DEPLOYMENT | The psa-ng project provides a multi-stage Dockerfile that builds the application from source using the stable Rust toolchain and a Docker Compose configuration for deployment, with a minimal runtime image, non-root execution, persistent data volume, and read-only configuration mount. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-RELEASE_COMPLETENESS | Every tagged release of psa-ng includes source code, build instructions (Cargo.toml, Dockerfile), automated test execution with pass/fail reporting, an OpenFastTrace requirements tracing report, TSF quality evidence artifacts, and a published trust report — all produced by the CI release workflow without manual intervention. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-API_AUTHENTICATION | The psa-ng project implements the OAuth2 authorization code flow for the PSA Connected Car v4 API: constructing brand-specific authorization URLs, exchanging authorization codes for access and refresh tokens, automatically refreshing expired access tokens before API calls, and persisting tokens to disk so that re-authentication is not required across restarts. | 0.80 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-API_PROTOCOL_CONFORMANCE | The psa-ng API client conforms to the PSA Connected Car v4 API protocol by registering callbacks before sending remote commands, using the documented endpoint paths and JSON payload schemas for all remote operations, sending the correct Content-Type header, and parsing structured API error responses with code, uuid, message, and timestamp fields. | 0.80 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-API_RESILIENCE | The psa-ng API client handles API rate limiting by parsing X-RateLimit and Retry-After response headers and delaying requests on HTTP 429, supports token-based pagination for collection endpoints to retrieve complete result sets, and requests appropriate OAuth2 scopes during authorization. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-ERROR_HANDLING | The psa-ng application maps PSA API errors, network failures, and invalid inputs to specific HTTP status codes (502 for upstream failures, 401 for auth errors, 500 for internal errors) and returns error messages that exclude file paths, URLs, and token values. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-VEHICLE_OPERATIONS | The psa-ng project retrieves vehicle status (battery level, charging state, odometer, position) and executes remote commands (charging control, preconditioning, door locks, lights, horn) via the PSA Connected Car v4 API, with each operation covered by unit tests that verify HTTP request construction and JSON response parsing against mock responses. | 0.80 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-DEVELOPMENT_PROCESS | The psa-ng project enforces code quality through automated CI checks (formatting via rustfmt, linting via clippy with deny-warnings, compilation checks, and cargo-deny dependency auditing) on every pull request and push to main, blocking merges that fail any check. | 0.60 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-DEPENDENCY_PROVENANCE | All third-party dependencies of psa-ng are sourced exclusively from crates.io (enforced by cargo-deny source checks), pinned to exact versions via Cargo.lock, and scanned for known CVEs by cargo-deny on every CI run with no unacknowledged critical or high-severity advisories at the time of release. | 0.60 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-API_ACCESS_CONTROL | The psa-ng project enforces optional bearer token authentication on all REST API endpoints, requiring a valid Authorization header when an API token is configured, and returning HTTP 401 for missing or invalid credentials. | 0.80 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-CREDENTIAL_SECURITY | The psa-ng project stores OAuth2 tokens in local files with Unix permission mode 0o600, never writes credential values to log output, and transmits credentials exclusively over HTTPS to the PSA identity provider and API endpoints. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-WEB_HARDENING | The psa-ng web interface applies defence-in-depth hardening: all dynamic content is HTML-escaped to prevent cross-site scripting, security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Content-Security-Policy) are set on every response, request body size is limited to 64 KB, error responses do not expose internal paths or URLs, and dependency vulnerabilities are audited in CI. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-SYSTEMATIC_TESTING | The psa-ng project validates behaviour through systematic, scheduled test execution: all unit and integration tests run on every pull request and push to main, a nightly CI workflow repeats the full test suite on a schedule to detect flaky tests and environment drift, and test coverage reports are generated on every release to confirm that exercised code paths remain stable over time. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-TEST_COVERAGE | The psa-ng CI pipeline generates an HTML test coverage report on every release build and nightly run using cargo-llvm-cov, and publishes the report as a downloadable build artifact. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-UNIT_TESTING | All PSA API client operations and web server endpoints in psa-ng have corresponding unit tests that verify correct behaviour, and these tests are executed automatically as part of the CI pipeline. | 0.80 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
| PSA_NG-WEB_INTERFACE | The psa-ng project provides a web server with JSON REST API endpoints for all vehicle operations, and an HTML dashboard that renders correctly at viewport widths from 320px to 1920px, covering vehicle status monitoring, charge management, trip display, and application settings. | 0.70 | SME with References | ✔ Item Reviewed ✔ All Children Linked |
Compliance for UPSTREAM.RUST.RUST
| Item | Summary | Score | Score Origin | Status |
|---|---|---|---|---|
| UPSTREAM.RUST.RUST-VERSION | Project is actively managing its Minimum Supported Rust Version (MSRV). | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-VERSION_SPECIFICITY | Project is declaring its dependencies at least on minor-version level specificity. Where there exists a reason, patch-level specificity is used. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-VERSION_LOCKING | Project is locking and actively managing its dependencies, so that any change/update to dependency versions is done explicitly and with intention. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-CVE_MANAGEMENT | Project is actively managing known/reported CVEs in its supply chain e.g. by using cargo deny. |
0.60 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-LINTER | Project is using cargo clippy, treating all warning as errors, to vet pull request and reject merging of any code that fails the linter. |
0.70 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-FORMATTER | Project is using cargo fmt to reject merging of any code that fails the standard Rust formatting rules. |
0.70 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.RUST.RUST-TEST_HARNESS | Project is using Rust test tooling and core framework runners. Any additional test harnesses and approaches are integrated with the core test setup and are run in the same (automated) manner. | 0.80 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
Compliance for UPSTREAM.TSF.TA
| Item | Summary | Score | Score Origin | Status |
|---|---|---|---|---|
| UPSTREAM.TSF.TA-ANALYSIS | Collected test and monitoring data for XYZ is analysed using verified methods to validate expected behaviours and identify new misbehaviours. | 0.00 | Missing | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TA-BEHAVIOURS | Expected or required behaviours for XYZ are identified, specified, verified and validated based on analysis. | 0.76 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-CONFIDENCE | Confidence in XYZ is measured based on results of analysis | 0.00 | Missing | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TA-CONSTRAINTS | Constraints on adaptation and deployment of XYZ are specified. | 0.73 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-DATA | Test and monitoring data from development and production are appropriately collected and retained. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-FIXES | Known bugs or misbehaviours are analysed and triaged, and critical fixes or mitigations are implemented or applied. | 0.60 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-INDICATORS | Advance warning indicators for misbehaviours are identified, and monitoring mechanisms are specified, verified and validated based on analysis. | 0.00 | Missing | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TA-INPUTS | All inputs to XYZ are assessed, to identify potential risks and issues | 0.60 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-ITERATIONS | All constructed iterations of XYZ include source code, build and usage instructions, tests, results, and attestations. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-METHODOLOGIES | Manual methodologies applied for XYZ by contributors, and their results, are managed according to specified objectives. | 0.60 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-MISBEHAVIOURS | Prohibited misbehaviours for XYZ are identified, and mitigations are specified, verified and validated based on analysis. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-RELEASES | Construction of XYZ releases is fully repeatable and the results are fully reproducible, with any exceptions documented and justified. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-SUPPLY_CHAIN | All sources for XYZ and tools are mirrored in our controlled environment | 0.00 | Missing | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TA-TESTS | All tests for XYZ, and its build and test environments, are constructed from controlled/mirrored sources and are reproducible, with any exceptions documented | 0.80 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
| UPSTREAM.TSF.TA-UPDATES | XYZ components, configurations and tools are updated under specified change and configuration management controls. | 0.00 | Missing | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TA-VALIDATION | Tests exercise both stressed and representative conditions, validating behaviour through systematic, scheduled repetition. | 0.70 | Derived from supporting Statements | ✔ Item Reviewed ⨯ All Children Linked |
Compliance for UPSTREAM.TSF.TRUSTABLE
| Item | Summary | Score | Score Origin | Status |
|---|---|---|---|---|
| UPSTREAM.TSF.TRUSTABLE-SOFTWARE | This release of XYZ is Trustable. | 0.44 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
Compliance for UPSTREAM.TSF.TT
| Item | Summary | Score | Score Origin | Status |
|---|---|---|---|---|
| UPSTREAM.TSF.TT-CHANGES | XYZ is actively maintained, with regular updates to dependencies, and changes are verified to prevent regressions. | 0.30 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TT-CONFIDENCE | Confidence in XYZ is achieved by measuring and analysing behaviour and evidence over time. | 0.30 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TT-CONSTRUCTION | Tools are provided to build XYZ from trusted sources (also provided) with full reproducibility. | 0.73 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TT-EXPECTATIONS | Documentation is provided, specifying what XYZ is expected to do, and what it must not do, and how this is verified. | 0.55 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TT-PROVENANCE | All inputs (and attestations for claims) for XYZ are provided with known provenance. | 0.30 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
| UPSTREAM.TSF.TT-RESULTS | Evidence is provided to demonstrate that XYZ does what it is supposed to do, and does not do what it must not do. | 0.47 | Derived from supporting Statements | ✔ Item Reviewed ✔ All Children Linked |
Generated for: psa-ng
- Repository root: /github/workspace
- Commit SHA: 4a1606e0a24a66031e3669f79ea6cac9ebfedd3e
- Commit date/time: 2026-04-28 15:52:26+00:00 UTC
- Commit tag: v0.0.3-0-g4a1606e