Practice what we preach

Engineering quality, in public

Hyperion's own systems, audited and tracked the same way we audit yours. Numbers, not slides.

Last updated: 2026-05-02

Composite audit score

9.0/ 10

from 6.0

Score from a 20-stream internal audit covering security, observability, dependency hygiene, SEO, and CI/CD.

Audit progress by group

Auth & CSRF8/8 items shipped

SSRF & LLM hardening6/6 items shipped

VPS hardening9/12 items shipped

CI/CD & dependencies10/10 items shipped

Observability3/3 items shipped

SEO & GEO3/3 items shipped

32 of 65 admin routes validate CSRF server-side (the rest are GET-only, do not need it)
10 → 3 production CVE advisories (the 3 remaining are uuid CVSS 0, accepted risk)
Post-quantum SSH key exchange enabled (sntrup761x25519-sha512)
Mistral-only AI runtime, EU-hosted (OVH France), GDPR-resident by construction
Edge middleware admin gate + JWT pinned to HS256 + per-IP token-budget cap on chat
Pre-push hook runs full local CI gate (lint, typecheck, i18n, test, build) before push
All third-party GitHub Actions SHA-pinned, branch protection on main

We use the same classifier we offer clients. Each AI-touching surface declared.

Chat widget: minimal-risk
EU AI Act classifier: limited-risk (regulatory information tool — Article 50 transparency obligations)
Use Case Generator: minimal-risk

Last 5 changes shipped to production.

Hyperion's audits ship the same dashboard for clients — composite score, group progress, EU AI Act classification, security posture.

Current security posture

32 of 65 admin routes validate CSRF server-side (the rest are GET-only, do not need it)

10 → 3 production CVE advisories (the 3 remaining are uuid CVSS 0, accepted risk)

Post-quantum SSH key exchange enabled (sntrup761x25519-sha512)

Mistral-only AI runtime, EU-hosted (OVH France), GDPR-resident by construction

Edge middleware admin gate + JWT pinned to HS256 + per-IP token-budget cap on chat

Pre-push hook runs full local CI gate (lint, typecheck, i18n, test, build) before push

All third-party GitHub Actions SHA-pinned, branch protection on main

Recent activity

Last 5 changes shipped to production.

2df539f5chore(devx): add .vscode/extensions.json2026-05-02

005aad83sec(ai): finish B4 — RAG role-boundary fix2026-05-02

5d9870b2fix(security): server-side CSRF on 27 admin routes2026-05-02

028234c9chore(deps)/sec: F3 — bump aws-sdk + pnpm overrides2026-05-02

62756701fix(security): close CSRF gap on 4 admin clients2026-05-02