Verify
Read the code, not the brochure.
Every claim on /promises links to a file in this codebase. Each link opens the file inline here, wrapped with a short explainer in plain language for anyone who does not read code and the raw source for anyone who does.
CI script
check-demo-no-persistence.mjs
scripts/check-demo-no-persistence.mjs
Fails CI if the /demo path ever writes to durable storage — guarantees no demo invoice is kept.
check-subprocessor-freshness.mjs
scripts/check-subprocessor-freshness.mjs
Fails CI when the sub-processor list goes stale relative to its last-reviewed date.
no-llm-ci.sh
scripts/no-llm-ci.sh
Scans new dependencies for LLM, transformer, or AI packages on every pull request. Fails the build when one slips in.
privacy-ci.sh
scripts/privacy-ci.sh
The privacy-CI umbrella. Runs every privacy gate (no-LLM, sub-processor, demo-no-persistence, more) on every PR.
Test
c2-encrypt-encoding.test.ts
apps/api/tests/c2-encrypt-encoding.test.ts
Encryption-at-rest encoding tests. Each ciphertext blob must round-trip exactly.
envelope.test.ts
packages/recovery-crypto/tests/envelope.test.ts
Recovery-key envelope encryption tests. Verifies the math we promise is the math we ship.
test_golden.py
services/extract/tests/test_golden.py
The golden tests. Every invoice fixture must extract to its committed expected output; any drift fails CI.
0004_rls_cross_tenant.sql
infra/postgres/tests/0004_rls_cross_tenant.sql
Cross-tenant isolation tests run against a live database. A failure here would block every release.
Migration
0015_rls_data_plane.sql
infra/postgres/migrations/0015_rls_data_plane.sql
The Postgres row-level security migration. Each tenant only sees their own data at the database level.
0003_sessions.sql
apps/api/migrations/0003_sessions.sql
The session-storage migration. How we keep you signed in without keeping anything we shouldn't.
API route
audit.ts
apps/api/src/routes/audit.ts
The audit log route. Every change to your data leaves a record on this path.
auth.ts
apps/api/src/routes/auth.ts
The auth route — magic-link sign-in. No passwords, no SMS, no third-party identity providers.
demo-extract.ts
apps/api/src/routes/demo-extract.ts
The /v1/demo/extract API route, kept for internal tests. No persistence, no telemetry, no model training — read the code to confirm.
onboarding-demo-handoff.ts
apps/api/src/routes/onboarding-demo-handoff.ts
The demo-to-account handoff route. The only path your demo row can move to a real account is this one.
exports.ts
apps/api/src/routes/exports.ts
The data-export route. Pull everything we hold about you in machine-readable form.
identity-key.ts
apps/api/src/routes/identity-key.ts
The identity-key route. How we manage and rotate user identity keys without ever holding the private half.
Scheduled job
Source
demo/page.tsx
apps/web/app/(marketing)/demo/page.tsx
The /demo route. Renders the guided tour over hand-authored fixtures — no upload surface, no dropzone, no way for a cold visitor to send a real invoice.
preprocess.py
services/docling/preprocess.py
The OCR preprocessing step. The exact pipeline that runs on every uploaded image before reading.
Runbook
data-export-art-20.md
runbooks/data-export-art-20.md
The GDPR Article 20 data-export playbook. How a customer pulls every byte we hold on them.
demo-anonymous-retention.md
runbooks/demo-anonymous-retention.md
How long anonymous demo runs are kept and what triggers their deletion.
handoff-anonymous-flow.md
runbooks/handoff-anonymous-flow.md
How the anonymous-to-signed-in handoff flow works end to end.
incident-response.md
runbooks/incident-response.md
Our incident-response playbook. What we do, in what order, when something breaks.
r2-lifecycle.md
runbooks/r2-lifecycle.md
How object storage is configured and the lifecycle rules that delete old uploads automatically.
Document
dpa.md
docs/dpa.md
The Data Processing Addendum — the legal terms we hold ourselves to when we touch customer data.
pii-scrubber
tools/pii-scrubber/README.md
The PII scrubber tool. Strips identifying details from logs before any byte leaves the host.
sub-processors.md
docs/sub-processors.md
The list of every third party we share any data with — what data, why, and where they store it.
threat-model.md
docs/threat-model.md
The full threat model — what data exists, what could go wrong, and how each mitigation is enforced in code.
Frequently asked
What is the verify trail?
A short plain-language explainer plus the underlying source for every promise on /promises. Each page lives at /verify/[slug] and renders the file the claim is made of, with our commentary above and the raw bytes below.
Is this the live code that ships?
Yes. Each page is baked at build time from the file at the path shown near the top of the page. The canonical history lives in git; this surface is the build snapshot. If you need a specific commit, write to hello@muntin.digital.
Why an explainer instead of just the raw code?
So a non-developer can read what each file does and why it matters before deciding to dig into the source. The raw line-numbered code is still one click away on every page.