Public audit checklist

Live snapshot of the QSDM internal audit checklist. Every row points at runnable in-tree evidence (a test file, a live deployment, or a verifiable source-tree artefact). The score and items below are fetched directly from the public API — the same JSON the SDK and the operator dashboard tile consume.

Evidence provenance

How the passed rows became passed. A row marked evidence:live-deploy has been verified against the production validator at api.qsdm.tech; in-tree-tests means a Go test pins the behaviour in CI; in-tree means the evidence is a source-tree artefact (a config, a runbook, a build flag).

Category breakdown

Where the work concentrates and where the gaps are. Click any category to drill into the items table below — same rows as ?category=<name> on /api/v1/audit/items. Bars use the same palette as the bucket counts: passed / pending / failed / waived.

All audit rows

Click any row to expand its description, notes, and review provenance. Showing — of — rows.

Embed

Hot-link the badge below from any README, exchange listing, validator dashboard, blog post, or status page. The SVG is server-rendered on every request, so the score is always live (60 s edge cache). Drop-in <img> works across GitHub, GitLab, Notion, Bear, and every mainstream Markdown renderer — no CORS, no JS, no iframe.

Live preview

Markdown (GitHub READMEs)

[![QSDM audit](https://qsdm.tech/api/v1/audit/badge.svg)](https://qsdm.tech/audit.html)

HTML <img> (blogs, dashboards, status pages)

<a href="https://qsdm.tech/audit.html">
  <img src="https://qsdm.tech/api/v1/audit/badge.svg" alt="QSDM audit score" />
</a>

Raw endpoint

GET https://qsdm.tech/api/v1/audit/badge.svg
GET https://api.qsdm.tech/api/v1/audit/badge.svg   # equivalent

Colour ladder: ≥95% brightgreen · ≥85% yellowgreen · ≥70% yellow · ≥50% orange · <50% red. Pinned by scoreColour in pkg/api/handlers_audit_badge.go; threshold drift fails CI via TestAuditBadge_ColourThresholds.