This references .github/codeql/dismissals.md, but the .github/codeql/ directory (and this file) doesn’t exist in the repo. Either add the referenced file/directory (if it’s intended to be the process) or remove/adjust the reference so readers aren’t sent to a dead path.

The SLSA provenance snippet here doesn’t match the actual release workflow: the repo pins actions/attest-build-provenance by SHA and only sets subject-path (no subject-digest/push-to-registry in .github/workflows/release.yml). Please align this example with the real workflow so the documentation is accurate and copy-pastable.

Repository workflows pin actions to immutable SHAs (e.g., step-security/harden-runner@<sha>), but this example uses the mutable @v2 tag. Update the snippet to use the pinned-SHA pattern to match repo conventions and reduce supply-chain risk.

Several Table of Contents links include the Unicode variation selector character ("️") in the fragment (e.g., #1-️-system-overview, #4-️-security-controls-summary, #️-defense-in-depth-strategy). GitHub’s generated heading IDs are ASCII-only, so these fragments won’t match and the TOC links will be broken. Update the TOC fragments to the actual GitHub-generated slugs (or add explicit HTML anchors and link to those) to ensure the TOC works.

In the defense-in-depth Mermaid diagram, Route 53 WAF planned is technically incorrect—AWS WAF is associated with CloudFront/ALB/API Gateway, not Route 53. Rename this node to reflect the actual integration point (e.g., WAF on CloudFront) to avoid misleading architecture documentation.

The doc claims Subresource Integrity is implemented via “SHA-384 hashes for local libraries”, but the site’s locally hosted scripts (e.g., index.html loads js/lib/*.js without integrity=) don’t use SRI. Either adjust this row to describe where SRI is actually used (typically for third-party/CDN assets) or remove/mark it as planned to keep the control inventory accurate.

The embedded .github/dependabot.yml example doesn’t match the repository’s actual config (current file has no reviewers, uses different labels, and schedules GitHub Actions updates daily, not weekly). Please update the snippet to mirror .github/dependabot.yml (or replace it with a short description + link) so the documentation stays authoritative.

The CodeQL section documents a security-extended query suite and a Monday 06:00 UTC schedule, but .github/workflows/codeql.yml doesn’t specify security-extended and the cron is 0 0 * * 1 (00:00 UTC). Update this section to reflect the actual workflow configuration to avoid operational drift between docs and enforcement.

The section heading should be "Related Architecture Documentation" not "Architecture Documentation Map" to maintain consistency with other architecture documents in the repository. All conforming architecture documents (FLOWCHART.md, STATEDIAGRAM.md, MINDMAP.md, SWOT.md, and their FUTURE_ variants) use "Related Architecture Documentation" as the heading for this cross-reference table.

According to repository conventions, only the document link in the first column should be bolded in Related Architecture Documentation tables, not text in the Focus or Description columns. The phrase "Current document" in the Description column should not be bolded. This pattern is consistently followed in FLOWCHART.md, MINDMAP.md, FUTURE_MINDMAP.md, and FUTURE_STATEDIAGRAM.md.

The document references updating "CHANGELOG.md" in vulnerability remediation procedures, but this file does not exist in the repository.

Either:

1. Remove references to CHANGELOG.md (lines 1220, 1376), or
2. Create CHANGELOG.md as part of repository documentation standards, or
3. Update the text to reference a different file that tracks security fixes (e.g., the GitHub release notes or commit messages)