ShieldCV is a local-first, mobile-first resume security platform designed to protect sensitive resume data without sending content off-device. The app is built as a SvelteKit PWA for Cloudflare Pages and uses workspace packages for crypto, storage, audit, AI, and compliance concerns.
- Use Node.js 20 LTS.
- Enable Corepack if needed with
corepack enable. - Install dependencies with
pnpm install. - Start the web app with
pnpm --filter web dev. - Run checks with
pnpm lint,pnpm typecheck, andpnpm test. - Create a production build with
pnpm --filter web build.
- Zero data retention. Resume content, PII, and derived data stay on the user's device.
- Local-first AI. All model execution runs in-browser or through the user's own local Ollama instance.
- Encrypted at rest. IndexedDB content is encrypted with AES-GCM using PBKDF2-derived keys.
- Defense in depth. The web app ships with strict browser security headers and an offline-first PWA posture.
- Auditability. Security-relevant events are tracked in an append-only encrypted audit log.
ShieldCV deploys to Cloudflare Pages with a thin Functions-style worker handler that sets per-request CSP nonces and security headers. The handler never processes user data. All resume data remains in encrypted IndexedDB in the browser.
apps/web: SvelteKit PWA for Cloudflare Pages with per-request CSP headers.packages/crypto: WebCrypto helpers.packages/storage: Encrypted IndexedDB abstractions.packages/ai: Local inference integration points.packages/compliance: Compliance scan utilities.packages/audit: Hash-chain audit log helpers.compliance: DPIA, threat model, data flow, and SBOM artifacts.