Thanks for the M3 wrap-up, @mrmtech, and for the answers on hardening, alerts, and bilingual docs.
On the “production-grade infrastructure” framing, there is one piece that does not yet match what’s deployed. The production identity backend is reachable on the public internet at http://32.193.15.27:3000 over plain HTTP, with any origin allowed to call it and a static API key as the only authentication. The same-origin proxy in the issuer protects the legitimate user flow, but the backend itself stays directly callable from anywhere, and credential-issuance bodies traverse cleartext. Your repo already includes a TLS deployment path, and a TLS-fronted endpoint at https://api-ssi.iovf.org is already reachable in front of the same service. Could the backend exposure be addressed before the M4 proposal goes on-chain?
Two smaller items on the report:
- You list validator apps as working “on open source repo,” but we can’t find
IDA-Verificador-ApporIDA-Ciudadano-AppunderIkabott-MRMorIOV-Foundation. Could you share the public repo URLs? - The IPFS alternatives report is cited as
docs/IPFS-Pinata-Replacement-Options-Report.md“in repo,” but we don’t see it on either branch ofIkabott-MRM/identityor underIDA-Emisor-Web/docs/. Pending push, or a different path?
Happy to be corrected if we’ve misread the deployment.