Plataforma de Cibersegurança com IA para empresas brasileiras de tecnologia Spacecworp · CNPJ 62.904.267/0001-60 · Osasco/SP · SaaS B2B · ISO 27001:2022
███████╗██████╗ █████╗ ██████╗███████╗███████╗██╗ ██╗██╗███████╗██╗ ██████╗
██╔════╝██╔══██╗██╔══██╗██╔════╝██╔════╝██╔════╝██║ ██║██║██╔════╝██║ ██╔══██╗
███████╗██████╔╝███████║██║ █████╗ ███████╗███████║██║█████╗ ██║ ██║ ██║
╚════██║██╔═══╝ ██╔══██║██║ ██╔══╝ ╚════██║██╔══██║██║██╔══╝ ██║ ██║ ██║
███████║██║ ██║ ██║╚██████╗███████╗███████║██║ ██║██║███████╗███████╗██████╔╝
╚══════╝╚═╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝
AI v5.0 · Cybersecurity Platform
- Overview
- High-Level Architecture
- How It Works — Request Flow
- Core Components
- Security Architecture
- Data Flow — Persistence Layer
- AI Integration (Gemini API)
- Module Reference
- Deployment
- Key Design Decisions
- Compliance & Standards
- Company Info & Products
SpaceShield AI is a 100% frontend Single-Page Application (SPA) that delivers enterprise-grade cybersecurity monitoring, ISO 27001:2022 certification management, AI-powered threat analysis, and LGPD compliance tools — with zero backend dependencies in production.
| Property | Value |
|---|---|
| Architecture | 100% frontend SPA · Zero backend in production |
| Hosting | GitHub Pages (static) |
| Runtime | Vanilla JavaScript (ES2022+) · Web APIs only |
| Storage | localStorage encrypted with AES-256-GCM |
| AI | Google Gemini 2.5 Flash API |
| Security Cert. | ISO/IEC 27001:2022 · Bureau Veritas |
| Compliance | LGPD · SOC 2 · PCI DSS · NIST CSF · CIS Controls |
| SLA Target | 99.7% availability |
| MTTD | 47 ms (simulated real-time detection) |
Brazilian SMB technology companies need enterprise-grade security management — ISO 27001 certification tracking, threat intelligence, LGPD compliance, and AI-powered analysis — but lack the budget for expensive SIEM platforms or security teams. SpaceShield AI solves this with a self-contained, browser-based platform that requires no infrastructure.
┌─────────────────────────────────────────────────────────────────────────┐
│ BROWSER (Client Only) │
│ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ INDEX.HTML (SPA) │ │
│ │ │ │
│ │ ┌──────────┐ ┌──────────────────────────────┐ ┌───────────┐ │ │
│ │ │ TOPBAR │ │ CENTER PANEL │ │ SIDEBAR-R │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ • Clock │ │ ┌────────────────────────┐ │ │ • ISO │ │ │
│ │ │ • ISO │ │ │ TAB BAR │ │ │ Ring │ │ │
│ │ │ Badge │ │ │ LOG │ JSON │ CORP │ │ │ • SSL/TLS │ │ │
│ │ │ • SSL │ │ │ PROD│ SEC· │ IA·CORP │ │ │ • DB │ │ │
│ │ │ Badge │ │ │ │ NEWS │ PEND │ │ │ Tables │ │ │
│ │ └──────────┘ │ └────────────────────────┘ │ │ • Certs │ │ │
│ │ │ │ └───────────┘ │ │
│ │ ┌──────────┐ │ ┌────────────────────────┐ │ │ │
│ │ │ SIDEBAR-L│ │ │ CONTENT AREA │ │ │ │
│ │ │ │ │ │ (active tab renders │ │ │ │
│ │ │ • Attack │ │ │ here on demand) │ │ │ │
│ │ │ Metrics│ │ │ │ │ │ │
│ │ │ • Network│ │ │ SecAgent Chatbot ←──── │ │ │ │
│ │ │ Canvas │ │ │ (chatbot · Gemini AI) │ │ │ │
│ │ │ │ │ │ ISO 27001 Module │ │ │ │
│ │ │ • ISO/SLA│ │ │ Corporate Panel │ │ │ │
│ │ └──────────┘ │ └────────────────────────┘ │ │ │
│ │ └──────────────────────────────┘ │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────────────────┐ │ │
│ │ │ ADMIN PANEL OVERLAY (auth-gated · minimizable) │ │ │
│ │ │ ISO 27001 │ TRAINING │ CHANGEAUTH │ A.8 TECH │ BACKUP │ │ │
│ │ │ MARKETING │ RISK TREATMENT │ AUDIT MANAGEMENT │ │ │
│ │ └──────────────────────────────────────────────────────────┘ │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ JAVASCRIPT MODULES (32 classes) │ │
│ │ app.js → events.js → [15 feature modules] → ui.js │ │
│ └────────────────────────────┬────────────────────────────────────┘ │
│ │ │
│ ┌────────────────────────────▼────────────────────────────────────┐ │
│ │ PERSISTENCE LAYER │ │
│ │ CryptoStore (crypto.js) ──► AES-256-GCM ──► localStorage │ │
│ └─────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
│
┌──────────▼──────────┐
│ EXTERNAL APIs │
│ │
│ Gemini 2.5 Flash │
│ Google Analytics │
│ Google Fonts/CDN │
└─────────────────────┘
Browser loads index.html
│
▼
Load CSS (head.css → body.css → modules.css → responsive.css)
│
▼
Load JS modules (32 files, sequential)
│
▼
app.js: App IIFE executes
├── 1. CryptoStore.init() ← generate/load AES-256-GCM key via PBKDF2
├── 2. db.migrate() ← localStorage schema migration
├── 3. Instantiate 15 modules ← SecurityAgent, ISOModule, CorporatePanel...
├── 4. TabManager setup ← bind tab buttons to lazy-render callbacks
├── 5. NetworkCanvas.start() ← TCP/IP visualization canvas
├── 6. SecurityEngine.init() ← boot 7 mitigation subsystems
└── 7. FeedLogger startup msgs ← system-ready log entries
User clicks tab button
│
▼
events.js: click listener on [data-tab]
│
▼
TabManager.show(tabName)
├── Hide all .tab-content panels
├── Show matching panel
└── Fire onShow(tabName) callback ← lazy-render: module.render() called once
│
▼
Module renders HTML into DOM container
│
▼
Module fetches/displays data (localStorage → decrypt → render)
User types message → presses Enter / clicks ENVIAR
│
▼
SecurityAgent.sendMessage(text)
├── Append user bubble to chat DOM
├── Push to #chatHistory[]
├── Show typing indicator (animated dots)
└── UIUtils.geminiAPI(systemPrompt, userText)
│
▼
Precedence waterfall:
1. window.__AI_PROXY → custom remote proxy
2. localhost /api/ai → Express proxy (dev)
3. window.__GEMINI_KEY → direct Gemini API call
4. fallback → static demo response
│
▼
Gemini returns response text
│
▼
├── Hide typing indicator
├── Append agent bubble (formatted with UIUtils.formatAIText)
└── Push assistant reply to #chatHistory[]
Feature module saves data
│
▼
db.save(key, value)
│
▼
CryptoStore.encrypt(JSON.stringify(value))
├── Generate random IV (12 bytes)
├── AES-256-GCM encrypt with derived key
└── Return { iv: base64, ct: base64 }
│
▼
localStorage.setItem(key, JSON.stringify(encrypted))
Feature module loads data
│
▼
db.get(key)
│
▼
localStorage.getItem(key) → parse JSON
│
▼
CryptoStore.decrypt({ iv, ct })
├── AES-256-GCM decrypt
└── Return original value
│
▼
JSON.parse(plaintext) → module uses data
The SecurityMitigationEngine (security_engine.js) runs 7 independent mitigation subsystems that boot in sequence on app start:
SecurityMitigationEngine.init()
│
├── [1] Zero-Day Shield ← behavioral analysis · heuristic detection
├── [2] Adversarial Guard ← ML model ensemble (LSTM + GradBoost + RF)
├── [3] TLS Inspector ← certificate validation · cipher downgrade detection
├── [4] UEBA Engine ← User and Entity Behavior Analytics
├── [5] Honeypot Network ← 3 honeypot sensors (canary traps)
├── [6] Threat Correlation ← IoC cross-referencing · kill chain mapping
└── [7] Adaptive Threshold ← 85% (business hours) / 92% (off-peak) block rate
Real-time metrics rendered in the left sidebar:
| Metric | Implementation |
|---|---|
| Attacks Blocked | AttackManager counter · animated canvas events |
| Packets/sec | Simulated via NetworkCanvas |
| Attack Types | DDoS, SQLi, XSS, Brute-force, Ransomware, APT |
| Block Rate | Adaptive threshold with SLA target 99.7% |
| MTTD | 47 ms (Mean Time To Detect) |
The SEC·NEWS tab is a dedicated security chatbot powered by Gemini AI — single-column, full-width interface.
┌──────────────────────────────────────────────────────────────┐
│ 🛡 SPACESHIELD · CHATBOT DE SEGURANÇA 🔒 TLS 1.3 │
├──────────────────────────────────────────────────────────────┤
│ │
│ 🛡 Olá! Sou o SpaceShield Chatbot da Spacecworp. │
│ ✓ Analiso CVEs críticas e impacto nos seus sistemas │
│ ✓ Oriento sobre conformidade LGPD · ISO 27001:2022 │
│ ✓ Explico ataques: ransomware, APT, phishing │
│ │
│ [mensagem do usuário] │
│ │
│ 🛡 [Resposta formatada] │
│ ▶ Formatted with icons │
│ ✓ Supports multi-line │
│ ⚠ Color-coded symbols │
│ │
│ ○ ○ ○ (typing indicator) │
│ │
├──────────────────────────────────────────────────────────────┤
│ [⚠ CVEs 2025] [🔥 Ransomware] [📋 LGPD] [🔓 regreSSHion] │
│ [🏆 ISO 27001] [🌩 Threat Intel] [☸ K8s] [⚙ Hardening] │
├──────────────────────────────────────────────────────────────┤
│ Pergunte sobre CVEs, LGPD, ISO 27001, ransomware... [ENVIAR]│
└──────────────────────────────────────────────────────────────┘
Threat Intelligence Knowledge Base (system prompt context):
| Domain | Coverage |
|---|---|
| CVEs / NVD | CVE-2025-0282 · CVE-2024-6387 · CVE-2024-3400 · CVE-2025-1974 e outros |
| LGPD / ANPD | Resolução CD/ANPD nº 18/2025 · notificação em 72h · sanções |
| ISO 27001:2022 | Cláusulas 4-10 · Anexo A · 93 controles · Gap Analysis |
| Threat Intel | Ransomware · APT · phishing · supply chain · IoCs · MITRE ATT&CK |
| Hardening | Linux · Windows Server · cloud (AWS/GCP/Azure) · GitHub Pages SaaS |
| Pentest | OWASP Top 10 · CVSS 3.1 · EPSS · gestão de vulnerabilidades |
The ISOModule (iso.js) manages the full ISO 27001:2022 certification lifecycle:
ISO 27001:2022 Certification Pipeline
─────────────────────────────────────
Stage 1: Contexto Organizacional [Cláusula 4]
Stage 2: Liderança e Comprometimento [Cláusula 5]
Stage 3: Planejamento [Cláusula 6]
Stage 4: Suporte e Recursos [Cláusula 7]
Stage 5: Operação e Controles [Cláusula 8 + Anexo A]
Stage 6: Avaliação de Desempenho [Cláusula 9]
Stage 7: Melhoria Contínua [Cláusula 10]
Stage 8: Auditoria & Certificação [Bureau Veritas]
│
▼
93 Annex A Controls tracked per stage
│
▼
AI Audit (Gemini): Geral · Gap Analysis · Plano de Ação
│
▼
Digital Certificate: ECDSA P-256 signature → PNG export
ISO Progress States:
0%──────25%──────75%──────100%
EM PROCESSO ATIVO APROVADO CONCLUIDO
A.8 Technological Controls (34 controls) tracked in tech_controls.js:
| Status | Description |
|---|---|
| IMPLEMENTED | Control fully active with evidence |
| PARTIAL | Control in progress |
| PLANNED | Scheduled for implementation |
| N/A | Not applicable to current context |
All client-side persistence is encrypted. The CryptoStore class (crypto.js) uses Web Crypto API exclusively — no third-party crypto libraries.
Key Derivation (one-time, at startup):
─────────────────────────────────────
Random salt (16 bytes)
│
▼
PBKDF2 / SHA-256
iterations: 100,000
│
▼
AES-256-GCM CryptoKey
(stored in memory only)
Encrypt(plaintext):
───────────────────
Random IV (12 bytes)
│
AES-256-GCM.encrypt(key, IV, plaintext)
│
{ iv: base64, ct: base64 } → localStorage
Decrypt({ iv, ct }):
────────────────────
AES-256-GCM.decrypt(key, IV, ciphertext)
│
plaintext string
Certificate Signing (ISO certificates):
ECDSA P-256 keypair generation
│
▼
Sign(certificateData) → DER-encoded signature
│
▼
Export certificate as PNG (canvas + signature overlay)
The TabManager (ui.js) implements lazy rendering — modules render their HTML only on first activation:
// Pattern used by every feature module:
tabs.onShow('secagent', () => secAgent.render()); // fires once on first show
tabs.onShow('iso', () => iso.render());
tabs.onShow('corporate',() => corporate.render());
// ... 12 more modulesTab hierarchy:
Main Tabs (center panel) Admin Tabs (overlay panel)
───────────────────────── ─────────────────────────
LOG SEGURANÇA ⬡ ISO 27001 (8 stages)
ENVIO JSON 📚 TREINAMENTO (10 courses)
EMPRESARIAL 🔐 AUTORIZAÇÃO (RFC system)
PRODUTOS ⚙ A.8 TECNOLÓGICOS
SEC·NEWS ◄─ chatbot 📣 MARKETING (Google Ads AI)
IA CORPORATIVA (6 roles) 💾 BACKUP (5 policies)
PENDÊNCIAS ⚠ TRATAMENTO DE RISCOS
📋 AUDITORIA
┌───────────────────────────────────────────────────────┐
│ SECURITY LAYERS │
│ │
│ Layer 7 · Application │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Content Security Policy (CSP) │ │
│ │ default-src 'self' · script-src with allowlist │ │
│ │ connect-src: generativelanguage.googleapis.com │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 6 · Authentication │
│ ┌─────────────────────────────────────────────────┐ │
│ │ SHA-256 password hash (client-side) │ │
│ │ sessionStorage TTL: 60 minutes │ │
│ │ TOTP MFA support (admin panel) │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 5 · Data Encryption │
│ ┌─────────────────────────────────────────────────┐ │
│ │ AES-256-GCM · all localStorage data │ │
│ │ PBKDF2/SHA-256 key derivation (100k iter.) │ │
│ │ Random IV per encryption operation │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 4 · Transport │
│ ┌─────────────────────────────────────────────────┐ │
│ │ TLS 1.3 · ECDHE x25519 · RSA-4096 │ │
│ │ HSTS: max-age=31536000 │ │
│ │ OCSP Stapling · CAA Record (Let's Encrypt) │ │
│ │ SSL Labs Score: A+ │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 3 · Input Validation │
│ ┌─────────────────────────────────────────────────┐ │
│ │ HTML entity escaping on all user inputs │ │
│ │ maxlength constraints on all fields │ │
│ │ No eval() · No innerHTML from external data │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 2 · Digital Signatures │
│ ┌─────────────────────────────────────────────────┐ │
│ │ ECDSA P-256 for ISO certificate signing │ │
│ │ Signature verification on certificate load │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ Layer 1 · LGPD / Privacy │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Cookie Consent Mode v2 (Google) │ │
│ │ Analytics denied by default │ │
│ │ No PII transmitted to external APIs │ │
│ └─────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────┐
│ DATA FLOW DIAGRAM │
│ │
│ User Action │
│ │ │
│ ▼ │
│ Module Method (e.g. iso.completeStage(n)) │
│ │ │
│ ├──► Update in-memory state │
│ │ │
│ ├──► db.save('iso_stages', stageData) │
│ │ │ │
│ │ ▼ │
│ │ CryptoStore.encrypt(JSON.stringify(data)) │
│ │ │ │
│ │ ▼ │
│ │ localStorage.setItem(key, encryptedJSON) │
│ │ │
│ └──► DOM update (re-render affected components) │
│ │
│ Page Reload │
│ │ │
│ ▼ │
│ CryptoStore.init() ← re-derive key from stored salt │
│ │ │
│ ▼ │
│ db.get(key) → CryptoStore.decrypt() → JSON.parse() │
│ │ │
│ ▼ │
│ Module restores state → renders with persisted data │
└──────────────────────────────────────────────────────────────┘
Data stored per module (encrypted):
| Key (localStorage) | Module | Content |
|---|---|---|
iso_stages |
ISOModule | 8 stage completion states |
iso_controls |
ISOModule | 93 control statuses |
training_progress |
TrainingModule | Course completion + certificates |
tech_controls |
TechControlsModule | 34 control statuses |
risk_register |
RiskTreatmentModule | Risk entries + treatment plans |
audit_records |
AuditModule | Audit logs + findings |
changeauth_rfcs |
ChangeAuthModule | RFC requests + approvals |
backup_policies |
BackupModule | 5 policies + recovery records |
admin_credentials |
AdminAuth | SHA-256 hash (email + password) |
investor_profile |
InvestorModule | Name, CPF/CNPJ, type |
investments |
InvestorModule | Aporte records + PIX status |
All AI features use Google Gemini 2.5 Flash via UIUtils.geminiAPI().
UIUtils.geminiAPI(systemPrompt, userPrompt)
│
▼
┌──── Precedence Waterfall ────────────────────────────────┐
│ │
│ 1. window.__AI_PROXY defined? │
│ YES → POST to custom proxy URL (remote) │
│ │
│ 2. hostname === 'localhost' || '127.0.0.1'? │
│ YES → POST /api/ai (Express proxy, dev mode) │
│ │
│ 3. window.__GEMINI_KEY defined (length > 10)? │
│ YES → POST directly to Gemini API endpoint │
│ Authorization: Bearer <key> │
│ │
│ 4. Fallback → return static demo response │
│ (educational · no API required) │
└──────────────────────────────────────────────────────────┘
| Module | AI Capability | System Prompt Focus |
|---|---|---|
| SecAgent | Threat intelligence chatbot | CVEs, LGPD, ISO 27001, ransomware, hardening |
| ISOModule | Audit reports (3 types) | ISO 27001:2022 · Gap Analysis · Action Plan |
| CorporatePanel | Company security report | Business KPIs · risk posture · LGPD status |
| RoleAIModule | 6 departmental assistants | Diretoria · Marketing · Jurídico · Compliance · MKT Digital · CTO |
| MarketingModule | Google Ads strategy | Keyword targeting · campaign builder · ROI |
The system prompt for all AI features enforces:
- Language: Portuguese (Brazilian)
- Format:
▶for lists ·✓done ·⚠warning ·✗error - Length: Max 200 words per response
- Style: Technical, precise, objective
| File | Class | Role |
|---|---|---|
app.js |
App (IIFE) |
Bootstrap · instantiates all 15 modules |
events.js |
— | Centralized DOM event listeners (NC-CRIT-03) |
ui.js |
UIUtils · TabManager · FeedLogger |
UI utilities · tab switching · log feed |
data.js |
AppData |
Static company data · products · compliance docs |
init.js |
— | HTTPS redirect · startup checks |
| File | Class | Role |
|---|---|---|
crypto.js |
CryptoStore |
AES-256-GCM · PBKDF2 · ECDSA P-256 |
database.js |
db |
Encrypted localStorage persistence |
adminauth.js |
AdminAuth |
SHA-256 auth · MFA TOTP · session TTL |
attacks.js |
AttackManager |
Attack simulation · metrics · threat levels |
network.js |
NetworkCanvas |
Real-time TCP/IP canvas visualization |
security_engine.js |
SecurityMitigationEngine |
7-subsystem mitigation engine |
| File | Class | Role |
|---|---|---|
secagent.js |
SecurityAgent |
SEC·NEWS chatbot · interface única · Gemini AI |
roleai.js |
RoleAIModule |
6 departmental AI assistants |
corporate.js |
CorporatePanel |
Corporate dashboard + AI report |
iso.js |
ISOModule |
ISO 27001 certification + AI audit |
| File | Class | Role |
|---|---|---|
iso.js |
ISOModule |
8 stages · 93 controls · Bureau Veritas |
training.js |
TrainingModule |
10 ISO courses · certificate generation |
tech_controls.js |
TechControlsModule |
34 A.8 controls · evidence tracking |
changeauth.js |
ChangeAuthModule |
RFC system · 4-eyes approval principle |
backup.js |
BackupModule |
5 policies · RTO/RPO · recovery procedures |
risktreatment.js |
RiskTreatmentModule |
5×5 risk matrix · treatment register |
audit.js |
AuditModule |
Internal/external audits · SoA · pentest |
| File | Class | Role |
|---|---|---|
products.js |
ProductsModule |
Product catalog · PIX QR Code (EMV) |
sender.js |
JSONSender |
Structured event JSON export |
pendencias.js |
PendenciasModule |
Pending tasks · priority management |
marketing.js |
MarketingModule |
Google Ads AI · campaign builder |
cookies.js |
CookieConsent |
LGPD cookie consent · Consent Mode v2 |
signature_pad.js |
SignaturePad |
Canvas digital signature for certificates |
tutorial.js |
TutorialModule |
Interactive onboarding walkthrough |
git push origin main
│
▼
GitHub Actions: .github/workflows/deploy.yml
│
▼
Build: static files only (no build step needed)
│
▼
Deploy to GitHub Pages branch
│
▼
CDN: https://spacesecurity.github.io
TLS 1.3 · HSTS · A+ SSL Labs
spacesecurity.github.io/
├── index.html ← SPA entry point (829 lines)
├── style/
│ ├── head.css ← CSS vars · reset · topbar
│ ├── body.css ← Layout · sidebar · tabs · feed
│ ├── modules.css ← Admin modules · badges · ISO styles
│ └── responsive.css ← Media queries (≤1200px, ≤768px)
├── javascript/ ← 32 JS modules (~500 KB)
│ ├── app.js ← Bootstrap IIFE
│ ├── events.js ← Event listeners
│ ├── ui.js ← UIUtils · TabManager · FeedLogger
│ ├── data.js ← Static company data
│ ├── database.js ← Encrypted localStorage
│ ├── crypto.js ← CryptoStore (Web Crypto API)
│ ├── secagent.js ← SEC·NEWS Chatbot ← this file
│ ├── iso.js ← ISO 27001 module
│ ├── [+ 24 more modules]
│ ├── local.config.example.js ← Config template
│ └── local.config.js ← Local dev config (gitignored)
├── .github/
│ └── workflows/
│ ├── deploy.yml ← GitHub Pages deployment
│ └── delete-runs.yml ← CI cleanup
└── README.md ← This document
# No build tools required — serve any static file server
npx serve .
# OR
python -m http.server 8080
# Configure Gemini API (optional, for AI features):
# Copy local.config.example.js → local.config.js
# Set window.__GEMINI_KEY = 'your-key-here'Choice: 100% static frontend, no server.
Why: GitHub Pages hosting is free, scales infinitely via CDN, and eliminates backend attack surface. The entire platform ships as static files.
Trade-off: No server-side session management. Mitigated with client-side AES-256-GCM encryption and sessionStorage TTL.
Choice: Encrypt every piece of data before persisting to localStorage.
Why: Browsers expose localStorage to any JavaScript running on the page. If a third-party script (Google Analytics, CDN library) is compromised via supply-chain attack, it could exfiltrate raw data. Encryption limits the blast radius.
Trade-off: Key derivation adds ~200ms on first load. Acceptable for security posture.
Choice: 4-level precedence (proxy → localhost → direct key → demo).
Why: The same codebase runs in production (no key), dev environment (localhost proxy), and staging (direct key). Demo fallback ensures the UI is always functional for demonstrations without an API key.
Trade-off: unsafe-inline in CSP needed for inline onclick handlers (tracked as NC-CRIT-03, partial mitigation).
Choice: Each module renders its HTML only on the first tab activation.
Why: 32 modules × full DOM construction at startup would cause a noticeable ~2s delay. Lazy rendering spreads the cost across user interactions, making the initial load fast.
Trade-off: First activation of each tab has a brief (imperceptible) render delay.
Choice: Each feature is a self-contained ES2022 class with private fields (#).
Why: Prevents accidental state leakage between modules. Each module owns its DOM container, its state, and its event handlers. Private fields (#chatHistory, #rendered) enforce encapsulation.
Trade-off: No tree-shaking (all modules load regardless of which tabs the user visits). Acceptable given the ~500 KB total JS size.
| Control | Description | Status |
|---|---|---|
| A.5.23 | Security in cloud services | Implemented |
| A.5.30 | ICT readiness for business continuity | Implemented |
| A.6.3 | Information security awareness & training | Implemented |
| A.7.1 | Physical security perimeters | Documented |
| A.8.3 | Information access restriction | Implemented |
| A.8.5 | Secure authentication | Implemented |
| A.8.6 | Capacity management | Monitored |
| A.8.15 | Logging | Implemented (FeedLogger) |
| A.8.16 | Monitoring activities | Implemented (SecurityEngine) |
| A.8.24 | Use of cryptography | Implemented (AES-256-GCM) |
| Requirement | Implementation |
|---|---|
| Cookie Consent | Consent Mode v2 · deny by default |
| Data Minimization | No PII sent to external APIs |
| Right to Erasure | localStorage.clear() removes all user data |
| Incident Notification | ANPD-RES-18: 72h procedure documented |
| DPO Designation | Felipe Rodrigues dos Santos (CEO/DPO) |
| Data Classification | PUBLIC · INTERNAL · CONFIDENTIAL · RESTRICTED |
ISO/IEC 27001:2022 ──► Primary certification target
LGPD (13.709/2018) ──► Brazilian data protection law
SOC 2 Type II ──► Trust service criteria (reference)
PCI DSS ──► Payment card security (PIX context)
NIST CSF 2.0 ──► Cybersecurity framework reference
CIS Controls v8 ──► Technical controls baseline
OWASP Top 10 2021 ──► Web application security
MITRE ATT&CK ──► Threat intelligence framework
Razão Social : Felipe Rodrigues dos Santos Desenvolvimento de Software Ltda
Fantasia : SPACECWORP
CNPJ : 62.904.267/0001-60
Abertura : 25/09/2025
Endereço : Osasco · SP · Brasil
Chave PIX : 62.904.267/0001-60 (CNPJ)
Regime : Simples Nacional · MEI
Certificação : ISO/IEC 27001:2022 · Bureau Veritas (em processo)
CNAEs ativos:
| CNAE | Atividade |
|---|---|
| 6201-5/01 | Desenvolvimento de programas sob encomenda |
| 6201-5/02 | Web design |
| 6202-3/00 | Desenvolvimento e licenciamento de software (SaaS) |
| 6204-0/00 | Consultoria em tecnologia da informação |
| 6209-1/00 | Suporte técnico em TI |
| 6311-9/00 | Tratamento de dados · hospedagem · cloud |
| 6319-4/00 | Portais, provedores de conteúdo |
| Product | Price | Target |
|---|---|---|
| SpaceShield AI · ESSENCIAL | R$ 890/mês | PMEs 1-10 employees |
| SpaceShield AI · PRO | R$ 1.890/mês | Mid-market 10-50 employees |
| SpaceShield AI · ENTERPRISE | Sob consulta | Enterprise 50+ employees |
| Consultoria ISO 27001 | R$ 3.500 (único) | Certification guidance |
| Pentest & Vulnerability | R$ 2.800/trimestre | Security assessment |
Payment: All plans accept PIX (key: 62.904.267/0001-60) with EMV QR Code generation.
| Layer | Technology | Notes |
|---|---|---|
| Runtime | Vanilla JS ES2022+ | No frameworks · no bundler |
| Crypto | Web Crypto API | AES-256-GCM · PBKDF2 · ECDSA |
| AI | Google Gemini 2.5 Flash | Via proxy or direct API |
| Storage | localStorage (encrypted) | AES-256-GCM per-entry |
| Canvas | HTML5 Canvas 2D | Network map · signatures |
| Fonts | Share Tech Mono · Exo 2 | Google Fonts CDN |
| QR Code | qrcodejs 1.0.0 | cdnjs · PIX QR generation |
| Hosting | GitHub Pages | CDN · TLS · zero cost |
| CI/CD | GitHub Actions | Auto-deploy on push to main |
| Analytics | Google Analytics 4 | Consent Mode v2 · LGPD |
SpaceShield AI v5.0 · Spacecworp · CNPJ 62.904.267/0001-60 · Osasco/SP · Brasil System Design documentation — ByteByteGo pattern · May 2026