Login — Access Control

Sign in with your account

Internal controlled validation environment. Diagnostic analysis only — not official compliance certification. Access is restricted to invited audience members; sign in with the email address and password associated with your invitation.

No account yet?

Accounts are created by invitation only. If a Rule Approver has sent you an invitation email, follow the activation link in that email to set your initial password and accept the internal-use notice.

Access controls in force

• Account-based authentication — email plus password verified against a salted scrypt hash; sessions are delivered as a signed, HTTP-only, SameSite=Lax cookie.
• Rate limiting on login and password-reset routes to slow brute-force attempts.
• CSRF protection on every state-changing form (HMAC-bound double-submit cookie).
• Defensive HTTP headers (CSP, X-Frame DENY, nosniff, Referrer-Policy, Permissions-Policy, COOP/CORP) plus Cache-Control on sensitive paths.
• Disabled accounts cannot sign in; existing sessions are revoked on the next request.
• Audit trail records every authentication event.

Internal controlled validation environment · Diagnostic verdicts only · No official compliance certification · Confidential — Internal.