Trust & transparency

CircaOS is the substrate behind 5CEOs. This page is what we publish to prove every claim.

Modeled after trust.salesforce.com. Every claim on this page maps to data the page can prove from the running process or to a section of SECURITY.md. If we don't have data, we say so — we don't fabricate uptime percentages or past advisories.

Live numbers

Image tag

0.1.0

From COGOS_IMAGE_TAG or package.json version. Bound to a cosign signature once §3.2 finishes rolling out.

Process uptime

3 hours 20 min

Time since this revision started. Restarted on every deploy — not a historical SLA metric.

Cosign pubkey pending

Cosign pubkey publication pending

/cosign.pub · verify with cosign verify --key https://cogos.5ceos.com/cosign.pub <image>

Tenant audit chain

/v1/audit

Every customer fetches their own hash-chained usage rows and re-verifies them locally — no need to trust our copy.

API latency (p50 · p95 · p99)

no data yet

Rollup empty for the last 7 days. Numbers appear here once paid + free traffic accrues. We don't fabricate latency percentiles.

Verifiable security claims

Mirror of SECURITY.md §3. Each row is a claim plus the command an external auditor runs to check us right now. Items marked rolling out are wired in the deploy pipeline but not yet announced as enforced — SECURITY.md remains the source of truth.

Claim	Verify command
SECURITY.md §3.2 — Image signature (cosign) rolling out Every deployed image is signed with a 5CEOS-controlled cosign key. Customers verify the running image hash against the public key.	`cosign verify \ --key https://cogos.5ceos.com/cosign.pub \ cogos5ceos.azurecr.io/cogos-api:vN`
SECURITY.md §3.3 — Response signature (HMAC) shipped Every /v1/* response carries X-Cogos-Signature = HMAC-SHA256(per-tenant-secret, body). Tampering in transit is detectable.	`curl -isX POST https://cogos.5ceos.com/v1/chat/completions \ -H "Authorization: Bearer sk-cogos-…" \ -d '{"model":"cogos-tier-b","messages":[{"role":"user","content":"ping"}]}' # Re-compute HMAC client-side; recipe at /cookbook#verify-signature`
SECURITY.md §3.4 — Open determinism bench shipped The "same call in, same bytes out" claim is auditable by anyone — bench is OSS, published cadence runs are posted, drift surfaces same-day.	`git clone https://github.com/5CEOS-DRA/llm-determinism-bench cd llm-determinism-bench && cat README.md`
SECURITY.md §3.5 — Customer-key auth flow shipped API keys are stored as sha256 hashes; plaintext is shown once at issue time and never returned again. A keys.json leak does not leak usable keys.	`# In this repo: grep -n "createHash\\|sha256" src/*.js`
SECURITY.md §3.6 — Admin auth flow shipped Admin endpoints (issue / revoke / list keys, read usage) require X-Admin-Key. Rotation is one env-var change; revocation is immediate.	`# Should 401: curl -sI https://cogos.5ceos.com/admin/keys`
SECURITY.md §3.7 — Stripe webhook signature shipped POST /stripe/webhook is gated on a valid Stripe-Signature header verified against STRIPE_WEBHOOK_SECRET. Forged checkout completions cannot trigger key issuance.	`# Should 400 (signature missing): curl -sI -X POST https://cogos.5ceos.com/stripe/webhook \ -H "Content-Type: application/json" -d '{}'`
SECURITY.md §3.8 — Schema-enforced output shipped When response_format is json_schema, the decoder is grammar-constrained at the token level. Non-conforming output is physically impossible, not retried.	`# See /cookbook recipe 1 — strict integer schema, prompt for a string answer, get an integer.`

Recent revisions

Live revision: 0.1.0. Recent revisions are tracked via az containerapp revision list --name cogos-api --resource-group cogos-api-rg on the operator substrate; a published recent-revisions card is a future addition. We don't fabricate prior versions on this page.

Published security advisories

No published advisories. A subscription URL (RSS / JSON feed) for future advisories is TBD — until then, watch the bench repo and the SECURITY.md change log for notices.

Public hash-chain checkpoint

Every hour we snapshot every (tenant_id, app_id) chain head into a globally hash-chained checkpoint. Capture global_head now, replay /audit/checkpoint?ts=<your_capture_ts> later, prove we haven't rewritten any row in between.

Last checkpoint	`2026-06-20T21:35:59.811Z`
Global head (prefix)	`b5f4ee521d8dc317…`
Partitions snapshotted	2
Chain length	3 checkpoints on disk

Verify yourself:

curl -s https://cogos.5ceos.com/audit/checkpoint/latest
curl -s https://cogos.5ceos.com/audit/checkpoint/verify

Continuous probes

An Azure Container App Job runs scripts/probes-unauth.sh against this domain on a daily schedule (no auth, no third-party services in the loop). The latest run will appear here once the job has executed once. Probe source: scripts/probes-unauth.sh and scripts/pentest-authed.sh in the repo.

Pentest summary

Most recent internal pentest: 2026-05-14. External pentest cadence: engagement pending. When a third-party engagement closes, a redacted summary lands here (date, scope, severity counts, fix-cadence summary) — never raw findings.

Coordinated disclosure

Report a security issue: support@5ceos.com with subject prefix [SECURITY]. Response SLA, scope, and safe-harbor terms are documented in SECURITY.md §1.