The Pipeline

Every project we build passes through seven automated quality gates. No shortcuts, no exceptions. Each gate produces evidence that ships with your project as a complete handover pack.

Infrastructure Deployment

For own-tenancy clients, the pipeline includes automated infrastructure provisioning. We deploy the complete production environment inside your cloud account before the quality gates run — so every gate tests the application as it will actually operate in production.

Standard deployments to Vercel or Cloudflare follow the same quality gates. The infrastructure step is additional for clients who need data sovereignty, compliance, or full control over their environment.

What Gets Provisioned

  • Networking (VPC, subnets, security groups)
  • Compute and container orchestration
  • Managed database with encryption at rest
  • WAF and DDoS protection
  • IAM with least-privilege policies
  • Encryption in transit (TLS everywhere)
  • Audit logging and monitoring
  • CI/CD pipeline alongside the application
Gate 1

Functional

Does it work?

Every acceptance criterion from the spec is verified. The build compiles cleanly, TypeScript types check with zero errors, linting passes, and every page defined in the spec exists in the source. Feature detection scans confirm all required functionality is present. The auto-generated Playwright E2E test suite runs against the live application.

Evidence Produced

  • Build output verification
  • TypeScript type checking
  • ESLint analysis
  • Spec compliance audit
  • E2E test results
Gate 2

Cross-Device & Cross-Browser

Does it work everywhere?

The application is loaded in Chromium, Firefox, and WebKit. Every page is tested at desktop (1280px), tablet (768px), and mobile (375px) viewports. We verify there is no horizontal overflow, touch targets meet WCAG 2.5.5 (44x44px minimum), body text is readable on mobile (16px+), and colour contrast meets WCAG AA ratios.

Evidence Produced

  • Multi-browser screenshots
  • Responsive viewport audit
  • Touch target analysis
  • Font readability check
  • Colour contrast ratios
Gate 3

Security (OWASP Top 10)

Is it safe?

A project-specific threat model is generated before any code is written. During the build, we scan for hardcoded secrets, injection vulnerabilities, access control gaps, security misconfiguration, and data exposure. Semgrep SAST and TruffleHog run against the source. Every mitigation from the threat model is verified as implemented.

Evidence Produced

  • Threat model (OWASP-mapped)
  • Secrets scan (TruffleHog)
  • Static analysis (Semgrep)
  • RLS policy verification
  • Threat mitigation audit
Gate 4

Dependency Audit

Are the dependencies safe?

Every npm package in the dependency tree is audited for known vulnerabilities. We require zero high or critical severity CVEs. The Software Bill of Materials (SBOM) in CycloneDX format documents every component, version, and licence in the project.

Evidence Produced

  • npm audit report
  • SBOM (CycloneDX JSON)
  • Vulnerability summary
Gate 5

Performance & Accessibility

Is it fast and usable by everyone?

Lighthouse runs against every public route on a mobile viewport. We verify performance scores, accessibility compliance (WCAG 2.1 AA), best practices adherence, and SEO fundamentals. The intake form must load in under 2 seconds. Keyboard navigation is tested: tab order, focus visibility, skip links, and Enter key activation.

Evidence Produced

  • Lighthouse reports (per route)
  • Performance scores
  • Accessibility audit
  • Keyboard navigation test
Gate 6

Handover Audit

Is it ready to hand over?

The project documentation is verified: .env.example with all variables documented, README with setup instructions, quality gates report, and the HANDOVER.md client checklist. Source code is scanned for debug statements (console.log). The full SBOM is generated.

Evidence Produced

  • HANDOVER.md checklist
  • .env.example verification
  • README completeness
  • Debug statement scan
  • SBOM generation
Gate 7

DAST (Dynamic Application Security Testing)

Can it be attacked?

The running application is tested dynamically. HTTP security headers are verified on live responses. Every protected route is hit without authentication to confirm proper 401/403/302 responses. An AI-powered penetration test (Shannon) runs white-box DAST with proof-of-concept exploits against the live application.

Evidence Produced

  • Runtime header audit
  • Route protection verification
  • Shannon pentest report
  • PoC exploit results

Ready to build with confidence?

Tell us about your project. Every submission gets the same rigorous pipeline.

Start a Project