AdaptBooks
OTP Compliance Report
Disclosure: Automated source code audit performed by Claude Code against the AdaptBooks production codebase (146 API route files, 85 database tables, 4 packages). This is a first-party audit — AdaptBooks is built by Adaptensor Inc., the creator of the OTP standard.
1. Architecture Summary
AdaptBooks is a multi-tenant POS and accounting SaaS platform. The frontend is a Next.js 15 application deployed on Vercel. The API is an Express 5 server deployed on Railway. The database is Neon PostgreSQL with 85 tables managed by Prisma ORM. Authentication is delegated to Clerk (SOC 2 Type II). Payment processing is delegated to Stripe (PCI DSS Level 1). Email delivery is delegated to SendGrid. The codebase is a pnpm monorepo with 4 packages: web, api, db, and shared.
2. Score Overview
Domain Scores at a Glance
3. Domain-by-Domain Scoring
Every control in every domain scored with evidence. Click a domain to expand and view individual control scores, evidence, delegation status, and gap disclosures.
4. Gap Disclosures
Per OTP requirements, every control scoring below 100% must disclose the specific gap, remediation plan, and target completion date. Transparency over perfection.
No automated offboarding workflow. Deprovisioning requires manual action by tenant admin.
Plan: Implement automated access revocation triggers when user role is changed to inactive or user is removed from Clerk organization.
Target: Q3 2026
Tenant isolation relies entirely on application-layer enforcement via Prisma queries. No PostgreSQL Row Level Security (RLS) policies provide defense-in-depth at the database layer.
Plan: Implement PostgreSQL RLS policies on all tenant-scoped tables as defense-in-depth. Application-layer isolation remains primary — RLS acts as a safety net.
Target: Q3 2026
Gift card PINs stored in plaintext in the GiftCard table. No formal data classification policy document.
Plan: Hash gift card PINs with bcrypt. Create formal data classification matrix documenting all PII fields and their protection levels.
Target: Q2 2026
Zod schema validation covers critical routes but not all 146 route files. Some routes rely on manual validation.
Plan: Expand Zod schema coverage to all remaining routes. Priority: any route accepting user input for database mutations.
Target: Q3 2026
Not all URL parameters and query strings are validated via Zod schemas before reaching route handlers.
Plan: Add validateQuery() middleware to all routes that consume req.params or req.query. Prisma type safety provides baseline protection.
Target: Q3 2026
File upload handling present but lacks documented filename sanitization and path traversal prevention verification.
Plan: Add explicit filename sanitization utility and document file upload security controls. Add automated tests for path traversal attempts.
Target: Q3 2026
OTP spec requires enforcement "below the application layer." Current isolation is application-only via Prisma queries. No PostgreSQL RLS policies.
Plan: Implement PostgreSQL RLS policies as defense-in-depth. See Domain 2, Control 2.3.
Target: Q3 2026
No re-authentication requirement for destructive operations. Relies on role-based authorization only.
Plan: Implement step-up authentication via Clerk for sensitive actions: role changes, bulk deletes, fiscal period changes, and payment configuration changes.
Target: Q4 2026
Some TypeScript escape hatches (any types) present. No enforced zero-warning CI gate.
Plan: Audit and replace remaining any types with proper types. Add CI check that fails on TypeScript warnings.
Target: Q3 2026
No mandatory code review requirement before production deployment. Direct pushes to main trigger auto-deploy.
Plan: Enable GitHub branch protection rules requiring at least one approving review before merge to main.
Target: Q2 2026
Sentry code is enabled and deployed but alerting rules (e.g., error rate thresholds, assignment policies) must be configured in the Sentry dashboard after DSN provisioning.
Plan: Create Sentry project, set SENTRY_DSN on Railway and NEXT_PUBLIC_SENTRY_DSN on Vercel. Configure alert rules for error rate > 10/min and new issue assignment.
Target: Q2 2026
No external uptime monitoring service. Health endpoints exist but are not monitored by an independent third-party service.
Plan: Configure UptimeRobot or Better Uptime to monitor books.adaptensor.com and api.adaptbooks.io/health with SMS/email alerting on downtime.
Target: Q2 2026
No offline POS capability. Complete API dependency for all operations.
Plan: Implement service worker-based offline queue for POS transactions. Cache critical data (products, prices, tax rates) locally. Sync queued transactions when connection restores.
Target: Q4 2026
API auto-scaling not configured. Frontend auto-scales via Vercel. Single API instance handles current load but cannot auto-scale under traffic spikes.
Plan: Configure Railway auto-scaling policies based on CPU/memory thresholds. Add load testing to verify scale-out behavior.
Target: Q3 2026
Single-region deployment with no geographic redundancy. Vercel CDN provides global edge for static assets, but API and database are single-region.
Plan: Evaluate multi-region requirements based on customer growth. For current SMB market, single-region with strong backup/recovery is appropriate. Multi-region planned for enterprise tier.
Target: When enterprise customers require it
5. Delegation Declarations
Functions delegated to certified, specialized providers. Per the OTP Delegation Principle, each provider is certified, the attack surface is eliminated, and the integration is secured.
| Function | Provider | Certification | Data Isolation Proof |
|---|---|---|---|
| Authentication & Identity | Clerk | SOC 2 Type II | Zero passwords, MFA secrets, or OAuth tokens stored in AdaptBooks. All authentication state managed by Clerk. Platform stores only Clerk user ID as foreign key. |
| Payment Processing | Stripe | PCI DSS Level 1 | Zero cardholder data enters AdaptBooks systems. Stripe Terminal for in-person POS, Stripe Checkout for online payments, Stripe Billing for subscriptions. Platform stores only Stripe customer ID and subscription ID as references. |
| Database Hosting | Neon | SOC 2 Type II | Database encryption, backup management, PITR, and physical security managed entirely by Neon. AdaptBooks accesses database via encrypted connection string only. |
| Frontend Hosting | Vercel | SOC 2 Type II | Static assets and serverless functions hosted on Vercel infrastructure. TLS termination, DDoS protection, and CDN managed by Vercel. No sensitive data cached at edge. |
| API Hosting | Railway | SOC 2 Type II | Express.js server runs in Railway container. Secrets stored in Railway environment variables (encrypted at rest). Container isolation between tenants. |
| Email Delivery | SendGrid | SOC 2 Type II | Email content and recipient addresses passed to SendGrid API via HTTPS. No email data stored in AdaptBooks beyond send status. SendGrid manages deliverability, anti-spam, and DKIM. |
6. Version History
Remediation pass: Enabled Sentry error tracking on API and frontend (D7.3 PARTIAL→IMPLEMENTED). Published incident response plan with P0-P3 severity classification, escalation matrix, and rollback procedures (D7.5 PLANNED→IMPLEMENTED). Published disaster recovery plan with RTO/RPO targets, 5 scenario runbooks, and semi-annual DR test schedule (D8.4 PLANNED→IMPLEMENTED). Platform score: 87.26% → 89.26%.
Initial OTP compliance report. First automated source code audit of AdaptBooks production codebase.
The Honesty Clause
This report is published in accordance with the Open Trust Protocol's Honesty Clause. All scores reflect the actual state of the codebase as of the audit date. Gaps are disclosed openly with remediation plans. No controls have been omitted.
“A low score honestly reported builds more trust than a high score dishonestly reported. That is the entire point.”
This report will be updated quarterly or within 30 days of any material security change.
Next scheduled review: June 23, 2026