Security-aware workflow dashboard and API for tracking release readiness, blockers, risk signals and security-sensitive work.
Live app: https://securetaskops-workflow-platform.vercel.app/
Status: deployed product demo. It includes a working dashboard, API routes, task creation, filtering, release-readiness summary, tests, Docker support and CI. Demo data may reset when the serverless runtime refreshes.
Small teams often track tasks, incidents, blockers and release readiness across scattered notes or manual dashboards. That makes it harder to see which work is blocked, which changes are security-sensitive, and whether a release needs attention before shipping.
SecureTaskOps exposes a dashboard and Node.js API that model workflow items, score delivery/security risk, filter tasks, create new items, and summarize release readiness. The goal is to make release risk visible before work ships.
- Node.js native HTTP server
- Vercel serverless API routes
- Static dashboard UI
- JavaScript modules
- Node test runner
- Docker and Docker Compose
- GitHub Actions CI
- Browser dashboard for release signal, task queue, filters and item creation
GET /healthlocal health checkGET /api/healthdeployed health checkGET /api/taskstask list withstatus,owner, andseverityfiltersPOST /api/tasksworkflow item creation with validationGET /api/release-readinessrelease summary and status signal- Risk scoring based on severity, blocked work, due date and security-sensitive changes
- Domain and HTTP tests for validation, date boundaries, filtering, risk scoring, release readiness, response contracts and browser headers
- Dockerfile, Docker Compose,
.env.example, CI workflow, changelog and security notes
flowchart LR
Client["Dashboard / API client"] --> Routes["Node.js HTTP server or Vercel API functions"]
Routes --> Domain["Domain logic: validation, risk scoring, release summary"]
Domain --> Data["Runtime demo store seeded from sample data"]
Domain --> Tests["Node test runner"]
Main modules:
public/index.html,public/app.css, andpublic/app.jsprovide the dashboard.api/*.jsprovides Vercel serverless endpoints.src/server.jshandles local HTTP routing, JSON responses and static dashboard files.src/domain.jscontains validation, risk scoring, filtering and release summary logic.src/sample-data.jsprovides deterministic sample workflow items.test/domain.test.jscovers core logic and edge cases.test/server.test.jsexercises health, filtering, item creation, malformed JSON and static response headers over HTTP.
git clone https://github.com/Assembler-Fourier/securetaskops-workflow-platform.git
cd securetaskops-workflow-platform
npm install
npm test
npm startOpen the dashboard at:
http://localhost:3000Health check:
curl http://localhost:3000/health
curl http://localhost:3000/api/healthList high-severity tasks:
curl "http://localhost:3000/api/tasks?severity=high"Create a workflow item:
curl -X POST http://localhost:3000/api/tasks \
-H "content-type: application/json" \
-d '{"title":"Review auth callback validation","owner":"Uzair","status":"blocked","severity":"high","securitySensitive":true,"dueDate":"2026-07-06"}'Release readiness:
curl http://localhost:3000/api/release-readinessnpm run check
npm testCovered:
- Required-field validation
- Strict date-only validation and reference-clock behavior
- Risk scoring boundaries
- Blocked and security-sensitive risk reasons
- Query-style filtering
- Release-readiness summary logic
- HTTP response contracts and error handling
- Restrictive static browser headers
Not covered yet:
- Browser interaction tests in this repository; cross-project browser/API checks live in QA Automation Lab
- Persistent database integration
- Authentication and role-based authorization
docker compose up --buildThen open http://localhost:3000.
The repository includes GitHub Actions for syntax checks and tests on pushes and pull requests to main.
- Request JSON is validated before workflow items are created.
.env.exampledocuments configuration without committing secrets.- The deployed demo does not yet include authentication, authorization, rate limiting, persistent storage, or audit logging.
- Request bodies are capped at 64 KB and malformed JSON returns a bounded validation error without stack details.
- Static responses use a restrictive Content Security Policy; API responses are non-cacheable and use
nosniffand no-referrer headers. - Future production hardening should add auth, RBAC, database migrations, structured logs, rate limiting and deployment secrets management.
- Uses runtime demo data to keep setup fast and public.
- Uses Node's native HTTP server to keep domain logic visible.
- Keeps the scoring model explainable instead of pretending it is a complete compliance engine.
- Demo data may reset when the serverless instance refreshes.
- No database persistence yet.
- No user authentication yet.
- Risk scoring is a simple transparent heuristic, not a compliance model.
- Add PostgreSQL persistence and migrations.
- Add Fastify or Express route layer with schema validation.
- Add authentication and role-based access control.
- Add HTTP route tests and coverage reporting.
- Add browser smoke tests for the dashboard.
- Add audit log export and role-specific views.
This project demonstrates backend API design, a deployed dashboard, modular domain logic, validation, testable risk scoring, release-readiness modeling, Docker setup, CI workflow, security-aware thinking, and honest technical documentation.