richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cleaned up the Variouss folder

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-18 18:41:49 +02:00
parent fe5eda4e05
commit 52406b5edb
47 changed files with 21 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

117
AuditGlue/System alternative/Application architecture.md Normal file
View file

@ -0,0 +1,117 @@
# Application architecture Deciding which functionality goes where
Heres a decision framework to help you choose the right approach for each piece of functionality:
## WeWeb (Frontend Logic)
**Use when:**
- UI/UX logic and interactions
- Client-side data formatting and presentation
- Form validation (basic, user-facing)
- Navigation and routing logic
- Real-time UI updates from Supabase subscriptions
- Simple calculations that dont need to be secured
**Examples:** Date formatting, sorting/filtering displays, form field validation, conditional UI rendering
## SQL Functions + RPC
**Use when:**
- Complex data operations involving multiple tables
- Business logic that must be consistent and secure
- Performance-critical operations (closer to data)
- Data validation that cant be bypassed
- Calculations that need to be atomic
- Logic that might be reused across different clients
**Examples:** User permission checks, complex reporting calculations, multi-step data updates, financial calculations
## Edge Functions
**Use when:**
- External API integrations (payments, email, webhooks)
- Heavy computational tasks
- File processing and transformations
- Custom authentication flows
- Business logic that needs full programming language capabilities
- Third-party service communications
**Examples:** Stripe payment processing, PDF generation, image resizing, sending emails, complex AI/ML operations
## Database Triggers
**Use when:**
- Automatic responses to data changes
- Audit logging and history tracking
- Data consistency enforcement
- Background maintenance tasks
- Cross-table updates that must happen atomically
**Examples:** Updating timestamps, creating audit logs, maintaining calculated fields, sending notifications on data changes
## Decision Matrix
**Performance Priority:**
- SQL Functions > Database Triggers > Edge Functions > WeWeb
**Security Requirements:**
- Database Triggers ≥ SQL Functions > Edge Functions > WeWeb
**External Integration Needs:**
- Edge Functions > WeWeb > SQL Functions > Database Triggers
**Complexity of Logic:**
- Edge Functions > SQL Functions > WeWeb > Database Triggers
**Real-time Requirements:**
- Database Triggers > SQL Functions > WeWeb > Edge Functions
## Practical Examples
**User Registration Flow:**
- WeWeb: Form UI and basic validation
- Edge Function: Email verification, external service calls
- SQL Function: Create user profile with complex business rules
- Database Trigger: Create related records, audit log
**E-commerce Order Processing:**
- WeWeb: Shopping cart UI, order summary
- SQL Function: Inventory checks, price calculations
- Database Trigger: Update inventory, create audit trail
- Edge Function: Payment processing, order confirmation emails
**Reporting Dashboard:**
- WeWeb: Charts, filters, display logic
- SQL Function: Complex data aggregations
- Database Trigger: Update materialized views
- Edge Function: Export to PDF, email reports
## General Guidelines
**Start with the data layer and work outward:**
1. Database Triggers for automatic data consistency
2. SQL Functions for secure business logic
3. Edge Functions for external integrations
4. WeWeb for user interface and experience
**Security rule:** Never trust the client - critical business logic should be in SQL Functions or Edge Functions, not WeWeb.
**Performance rule:** Keep data-heavy operations close to the database (SQL Functions/Triggers).
**Maintainability rule:** Keep similar logic in the same layer when possible.
The key is often using multiple approaches together rather than choosing just one - they complement each other in a well-architected application.

67
AuditGlue/System alternative/Building functionality in Supabase.md Normal file
View file

@ -0,0 +1,67 @@
---
tags:
- iso27DIY
- dev
- SupaBase
---
# Building functionality in Supabase
Supabase offers several ways to build functionality beyond just SQL and Edge Functions. Here are the main approaches:
## Core Functionality Building Methods
**1. SQL Functions (Database Functions)**
- Postgres has built-in support for SQL functions that live inside your database and can be used with the API
- Created directly in the database using SQL
- Accessible via the Dashboards SQL editor
**2. Edge Functions**
- Deno-based serverless functions
- Run on the edge for low latency
- Good for custom business logic and integrations
**3. Database Functions & RPC (Remote Procedure Calls)**
- RPC in Supabase allows developers to invoke custom PostgreSQL functions directly from the client side, particularly useful for encapsulating complex operations
- RPC enables executing database functions directly, allowing batching of multiple operations into a single RPC call
- Called using the `.rpc()` method in client libraries
## Additional Functionality Methods
**4. Database Triggers**
- PostgreSQL triggers that automatically execute functions when certain database events occur
- Can be combined with SQL functions for automated workflows
**5. Row Level Security (RLS) Policies**
- Policy-based access control that acts as business logic
- Enforces rules at the database level
**6. Auto-generated REST APIs**
- Automatic CRUD operations based on your database schema
- No additional code needed for basic operations
**7. Real-time Subscriptions**
- Listen to database changes in real-time
- Automatically generated based on your tables and RLS policies
**8. GraphQL API**
- Auto-generated GraphQL APIs available alongside REST
- Provides flexible querying capabilities
**9. Webhooks**
- Database webhooks that can trigger external services
- Can be set up to respond to database events
**10. PostgREST Extensions**
- Custom PostgreSQL extensions that extend functionality
- Can be installed to add specialized features
The most common approaches for custom business logic are SQL functions (accessed via RPC), Edge Functions, and database triggers, with each serving different use cases depending on where you want the logic to run and how complex your requirements are.

203
AuditGlue/System alternative/Design Document for ISO 27001 Certification Support Online Service.md Normal file
View file

@ -0,0 +1,203 @@
---
tags:
- project/iso27DIY
---
As suggested by Perplexity AI on June 23, 2025 on the following prompt:
```markdown
Below is a list of challenges for a small company to acquire ISO 27001 certification. Write a design document for an online service that will support this company on it's journey towards certification:
**Prioritize and Simplify Documentation**
- Focus on essential documents such as the Information Security Policy, Risk Treatment Plan, and Statement of Applicability. Use templates and streamline processes to reduce the documentation burden.
**Leverage External Expertise**
- Consider hiring an ISO 27001 consultant or using online tools and platforms designed for small businesses to guide you through the process and provide templates and checklists.
**Automate Where Possible**
- Use software solutions that automate risk assessments, documentation management, and compliance tracking. This can save time and reduce errors.
**Conduct Regular Self-Assessments**
- Schedule periodic reviews of your ISMS to ensure it remains effective and up to date. Treat these as mini-audits, checking against the standards requirements.
**Stay Informed and Trained**
- Invest in self-training through online courses, webinars, and resources specific to ISO 27001. This will help you understand the standard and stay current with best practices.
**Collaborate with Peers or Networks**
- Join professional networks or forums where you can share experiences, ask questions, and learn from others facing similar challenges.
**Use Open Source and Cost-Effective Tools**
- Implement open-source or affordable security tools to manage risks and controls within your budget constraints
```
# Design Document: ISO 27001 Certification Support Online Service
## 1. Overview
This design document outlines an online service tailored for small companies aiming to achieve ISO 27001 certification. The service addresses common challenges such as documentation overload, lack of expertise, limited resources, and the need for ongoing compliance, as identified in the provided list. The solution emphasizes simplicity, automation, collaboration, and cost-effectiveness.
---
## 2. Objectives
- **Simplify and prioritize ISO 27001 documentation**
- **Provide expert guidance and resources**
- **Automate compliance and documentation workflows**
- **Enable regular self-assessment and progress tracking**
- **Offer training and knowledge resources**
- **Foster peer collaboration**
- **Integrate open-source and affordable security tools**
---
## 3. Key Features
### 3.1. Documentation Hub
- **Template Library:**
Pre-built, customizable templates for essential documents (e.g., Information Security Policy, Risk Treatment Plan, Statement of Applicability).
- **Guided Documentation Wizard:**
Step-by-step forms that guide users through filling out each document, with tooltips and examples.
- **Version Control:**
Track changes, revisions, and approvals for each document.
### 3.2. Expert Guidance
- **Consultant Marketplace:**
Access to vetted ISO 27001 consultants for one-off advice or ongoing support.
- **Automated Checklists:**
Interactive checklists for each stage of the certification process.
- **Knowledge Base:**
Frequently asked questions, best practices, and troubleshooting guides.
### 3.3. Automation Tools
- **Risk Assessment Engine:**
Automate risk identification, evaluation, and treatment planning, with pre-populated risk scenarios for small businesses.
- **Compliance Tracker:**
Dashboard for tracking progress against ISO 27001 controls and requirements.
- **Automated Reminders:**
Notifications for upcoming reviews, policy renewals, and self-assessments.
### 3.4. Self-Assessment Module
- **Mini-Audit Toolkit:**
Self-assessment forms based on ISO 27001 requirements, with scoring and action item generation.
- **Progress Reports:**
Visual dashboards and downloadable reports to monitor readiness for certification.
### 3.5. Training & Resources
- **E-Learning Platform:**
ISO 27001-specific courses, webinars, and microlearning modules for staff.
- **Resource Library:**
Curated articles, videos, and external links for ongoing learning.
### 3.6. Collaboration & Community
- **Peer Forum:**
Secure discussion boards for sharing experiences, challenges, and solutions.
- **Group Projects:**
Enable teams to collaborate on documentation and risk assessments in real time.
- **Mentorship Matching:**
Pair users with experienced peers or mentors for guidance.
### 3.7. Integration with Open Source and Cost-Effective Tools
- **Tool Directory:**
Curated list of recommended open-source and affordable security tools (e.g., password managers, vulnerability scanners).
- **API Integrations:**
Connect external tools for asset management, incident tracking, and more.
---
## 4. User Roles
- **Admin:**
Full access to all features, user management, and settings.
- **Team Member:**
Access to assigned tasks, documentation, and training.
- **Consultant/Advisor:**
Limited access for reviewing documents and providing feedback.
---
## 5. User Journey Example
1. **Onboarding:**
User answers a few questions about company size, industry, and current security maturity.
2. **Documentation Setup:**
User selects required documents from the template library and customizes them using the wizard.
3. **Risk Assessment:**
User completes an automated risk assessment, generating a risk treatment plan.
4. **Self-Assessment:**
User runs a mini-audit using the self-assessment toolkit and receives a readiness score.
5. **Training:**
Staff complete relevant e-learning modules.
6. **Collaboration:**
User joins the forum to ask questions and shares progress in a group project.
7. **Expert Review:**
User books a session with a consultant to review documentation.
8. **Certification Prep:**
User tracks progress with the compliance dashboard and prepares for the external audit.
---
## 6. Technical Architecture
- **Frontend:**
Responsive web application (React or Angular)
- **Backend:**
RESTful API (Node.js/Python), secure document storage, user management
- **Database:**
PostgreSQL or MongoDB for user data, documents, and audit logs
- **Integrations:**
APIs for external tools and consultant scheduling
- **Security:**
End-to-end encryption, role-based access control, regular penetration testing
---
## 7. Security & Compliance
- **GDPR-compliant data handling**
- **Encrypted storage for sensitive documents**
- **Audit logs for all user actions**
- **Regular vulnerability assessments**
---
## 8. Cost & Licensing
- **Freemium Model:**
Basic features free for small teams; premium features (consultant marketplace, advanced automation) via subscription.
- **Open-Source Integrations:**
No additional cost for integrating community tools.
---
## 9. Success Metrics
- **Time to complete documentation**
- **User satisfaction (NPS)**
- **Number of companies achieving certification**
- **Engagement in training and community features**
---
## 10. Roadmap (First 12 Months)
1. **MVP Launch:**
Documentation hub, risk assessment engine, self-assessment module
2. **Phase 2:**
Training platform, community forum, consultant marketplace
3. **Phase 3:**
Advanced automation, open-source tool integrations, mentorship matching
---
## 11. Conclusion
This online service is designed to make ISO 27001 certification accessible, efficient, and affordable for small companies. By combining expert guidance, automation, collaboration, and cost-effective tools, it empowers organizations to achieve and maintain compliance with confidence.
Sources

237
AuditGlue/System alternative/JSON validation for Postgres.md Normal file
View file

@ -0,0 +1,237 @@
---
tags:
- json
- supabase
---
# JSON Schema validation for Postgres
When using the JSON (or JSONB) datatype, the data needs to be validated to assure database integrity.
pg_jsonschema is a PostgreSQL extension for SupaBase that can validate `json` and `jsonb` data types against a JSON Schema. The extension offers two functions:
```java
-- Validates a json *instance* against a JSON Schema *schema*
json_matches_schema(schema json, instance json) returns bool
-- Validates a jsonb *instance* against a JSON Schema *schema*
jsonb_matches_schema(schema json, instance jsonb) returns bool
```
JSON Schema is a way to define what valid JSON should look like for a particular use case:
- What properties an object should have
- What data types are expected
- Which fields are required vs optional
- Validation constraints (like minimum/maximum values, string patterns, etc.)
- Default values and descriptions
A JSON Schema is itself a JSON document. Here's a simple example of a JSON schema:
```json
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "Person's full name"
},
"age": {
"type": "integer",
"minimum": 0,
"maximum": 150
},
"email": {
"type": "string",
"format": "email"
}
},
"required": ["name", "email"]
}
```
You can check input against a schema in SQL like this:
```sql
create table some_table(
id serial primary key, -- db-column `id` column is an auto-incrementing primary key
metadata json not null, -- db-column `metadata` must contain a JSON value and cannot be null
check ( -- table-level check constraint to match the JSON in `metadata` to the schema
json_matches_schema(
schema :='{
"type": "object", -- we require an object ...
"properties": {
"foo": { -- with a single string property `"foo"` ...
"type": "string"
}
},
"required": ["foo"], -- property `"foo"` is required ...
"additionalProperties": false -- and no additional properties are allowed
}',
instance := metadata -- the value of the `metadata` column is passed ...
-- as the `instance` argument to the `json_matches_schema` function, for each row
)
)
);
-- Now we can attempt to insert a row into `some_table`,
-- with the `metadata` value provided as `<SQL input>`
insert into some_table(metadata)
values
(<SQL input>);
-- <SQL input> needs to be replaced with an actual JSON value, e.g. '{"foo": "bar"}'.
-- The insert will only succeed if the contents of `metadata` matches the schema in the check constraint.
```
## Validating for a set of allowed values
Use the `enum` keyword to validate that a value must be one of a specific set of allowed values.
**String values:**
```json
{
"type": "string",
"enum": ["red", "green", "blue"]
}
```
**Mixed data types:**
```json
{
"enum": ["active", "inactive", null, 42]
}
```
**In an object property:**
```json
{
"type": "object",
"properties": {
"status": {
"type": "string",
"enum": ["pending", "approved", "rejected"]
},
"priority": {
"type": "integer",
"enum": [1, 2, 3, 4, 5]
}
}
}
```
## Validating for a data range
**Inclusive bounds (default):**
```json
{
"type": "integer",
"minimum": 1,
"maximum": 10
}
```
This allows values from 1 to 10, including 1 and 10.
**Exclusive bounds:**
```json
{
"type": "number",
"exclusiveMinimum": 0,
"exclusiveMaximum": 100
}
```
This allows values greater than 0 and less than 100, but not 0 or 100 themselves.
**Mixed Bounds:**
```json
{
"type": "number",
"minimum": 0,
"exclusiveMaximum": 1
}
```
This allows values from 0 (inclusive) to 1 (exclusive), so 0 ≤ value < 1.
**One-Sided Ranges:**
```json
{
"type": "integer",
"minimum": 18
}
```
```json
{
"type": "number",
"maximum": 3.14159
}
```
**In Object Properties:**
```json
{
"type": "object",
"properties": {
"age": {
"type": "integer",
"minimum": 0,
"maximum": 150
},
"temperature": {
"type": "number",
"minimum": -273.15,
"maximum": 1000.0
}
}
}
```
**Regex Validation:**
```json
{
"type": "string",
"pattern": "^[a-zA-Z0-9]+$"
}
```
**Date Validation:**
JSON Schema supports the ISO 8601 date format:
```json
{
"type": "string",
"format": "date"
}
```
`"date"` validates dates like: `2023-12-25`
`"date-time"` validates like: `2023-12-25T10:30:00Z` or `2023-12-25T10:30:00.123Z`
`"time"` validates like: `10:30:00` or `10:30:00.123`
Using the ISO 8601 date format is recommended for interoperability.
Custom date patterns can be validated with Regex.
Ranges can be validated using the `"minimum"` and `"maximum"` keywords like before.
## Documentation**
- [pg_jsonschema](https://github.com/supabase/pg_jsonschema)
- [JSON Schema](https://json-schema.org/)

2
AuditGlue/System alternative/Using AI to create policies.md
View file

@ -22,7 +22,7 @@ Examples:
4. develop interventions based on these differences
**Threat analysis**
- do a threat analysis, see [Create a threat analysis chatbot](../../Corpus/Various/Create%20a%20threat%20analysis%20chatbot.md)
- do a threat analysis, see [Create a threat analysis chatbot](../../Corpus/Various/LLMs%20and%20Vibe%20Coding/Create%20a%20threat%20analysis%20chatbot.md)
**Policy drafting**

20
AuditGlue/iso27DIY-MoC.md
View file

@ -15,7 +15,7 @@ tags:
## Marketing
[Pricing](../Corpus/Various/The%20Psychology%20Behind%20SaaS%20Pricing.md)
[Pricing](../Marketing/The%20Psychology%20Behind%20SaaS%20Pricing.md)
[[Pricing Tiers for iso27DIY|Tiers]]
[[SEO guide for Carrd|Website SEO]]
[Idea Validation](Idea%20Validation.md)
@ -33,25 +33,25 @@ tags:
[UI ideas](System%20alternative/iso27DIY%20UI%20ideas.md)
### Agents
[Create a proactive conversational agent](../Corpus/Various/Create%20a%20proactive%20conversational%20agent.md)
[Create an interview agent](../Corpus/Various/Create%20an%20interview%20agent.md)
[Create a proactive conversational agent](../Corpus/Various/LLMs%20and%20Vibe%20Coding/Create%20a%20proactive%20conversational%20agent.md)
[Create an interview agent](../Corpus/Various/LLMs%20and%20Vibe%20Coding/Create%20an%20interview%20agent.md)
[Agent Design Intent Card](System%20alternative/Agent%20Design%20Intent%20Card.md)
[Create a threat analysis chatbot](../Corpus/Various/Create%20a%20threat%20analysis%20chatbot.md)
[Instruct an LLM on available tools](../Corpus/Various/Instruct%20an%20LLM%20on%20available%20tools.md)
[LLM Prompt types](../Corpus/Various/LLM%20Prompt%20types.md)
[Create a threat analysis chatbot](../Corpus/Various/LLMs%20and%20Vibe%20Coding/Create%20a%20threat%20analysis%20chatbot.md)
[Instruct an LLM on available tools](../Corpus/Various/LLMs%20and%20Vibe%20Coding/Instruct%20an%20LLM%20on%20available%20tools.md)
[LLM Prompt types](../Corpus/Various/LLMs%20and%20Vibe%20Coding/LLM%20Prompt%20types.md)
## Content
[ISO27DIY Videos list](../🧱%20Projects/iso27DIY%20mk%20I/ISO27DIY%20Videos%20list.md)
## Platform
[Design Document for ISO 27001 Certification Support Online Service](../Corpus/Various/Design%20Document%20for%20ISO%2027001%20Certification%20Support%20Online%20Service.md)
[Design Document for ISO 27001 Certification Support Online Service](System%20alternative/Design%20Document%20for%20ISO%2027001%20Certification%20Support%20Online%20Service.md)
[Personae and Roles](Personae%20and%20Roles.md)
[TypeDB structure for ISO27DIY](System%20alternative/TypeDB%20structure%20for%20ISO27DIY.md)
[Client segregation in SaaS](../Corpus/Information%20Security/Client%20segregation%20in%20SaaS.md)
[Building functionality in Supabase](../Corpus/Various/Building%20functionality%20in%20Supabase.md)
[Building functionality in Supabase](System%20alternative/Building%20functionality%20in%20Supabase.md)
[SupaBase edge functions portability](System%20alternative/SupaBase%20edge%20functions%20portability.md)
[Connect LLM to Supabase to create content](../Corpus/Various/Connect%20LLM%20to%20Supabase%20to%20create%20content.md)
[Application architecture](../Corpus/Various/Application%20architecture.md)
[Connect LLM to Supabase to create content](../Corpus/Various/LLMs%20and%20Vibe%20Coding/Connect%20LLM%20to%20Supabase%20to%20create%20content.md)
[Application architecture](System%20alternative/Application%20architecture.md)
[iso27DYI architecture with LLM](System%20alternative/iso27DYI%20architecture%20with%20LLM.md)
[iso27DIY stack deployment](System%20alternative/iso27DIY%20stack%20deployment.md)
[SurveyJS](../Corpus/Standards/SurveyJS.md)