π‘οΈ Proactive Technology Lifecycle Management for a Static Corporate Website
π¦ Web-Standards Stack β’ π Node.js Build Tooling Lifecycle β’ βοΈ AWS Service Continuity
π Document Owner: CEO | π Version: 1.0 | π
Last Updated: 2026-04-21 (UTC)
π Review Cycle: Annual | β° Next Review: 2027-04-21
π·οΈ Classification: 
π ISMS Alignment: This document fulfils the Business Continuity & Lifecycle documentation requirements set out in the Hack23 Secure Development Policy.
| Document | Focus | Description |
|---|---|---|
| ποΈ Architecture | C4 Model | System structure |
| π‘οΈ Security Architecture | Security | Defense-in-depth controls |
| π― Threat Model | Threats | STRIDE / MITRE ATT&CK analysis |
| π Workflows | CI/CD | GitHub Actions pipeline |
| π BCP Plan | Resilience | Business continuity & recovery |
| π° Financial & Security Plan | Cost | TCO and security investment |
| π‘οΈ CRA Assessment | Compliance | EU Cyber Resilience Act conformity |
The Hack23 Homepage (hack23.com) is a static HTML5/CSS3 corporate website with no server-side runtime, no database, no user data processing, and only build-time tooling. As such it is intentionally one of the most lifecycle-resilient assets in the Hack23 portfolio: there is no application runtime to deprecate.
The site will continue to operate against current web standards indefinitely. EOL planning therefore focuses on three layered concerns:
- π Web platform standards β HTML5, CSS3, ECMAScript baseline, Schema.org, OpenGraph (effectively perpetual)
- π¨ Build & validation tooling β Node.js, npm, GitHub Actions, OWASP ZAP, Lighthouse CI, HTMLHint, html5validator
- βοΈ Hosting & delivery infrastructure β AWS S3, CloudFront, Route53, ACM, GitHub Pages (DR)
This strategy aligns with the "Living on the Edge" philosophy of the Hack23 Vulnerability Management Policy: keep tooling on the latest stable line, with comprehensive automated testing and SLSA Level 3 attestation gating each release.
Per Hack23 Classification Framework:
| Security Dimension | Level | EOL Impact | Business Rationale |
|---|---|---|---|
| π Confidentiality | |
Very Low | All website content is public corporate marketing material |
| π Integrity | |
Low | Content accuracy matters for reputation but tolerates brief defacement |
| β‘ Availability |  |
Low | 99% SLA target; CloudFront + GitHub Pages DR provides ample resilience |
π― RTO / RPO Alignment: RTO Standard (>72 h), RPO Extended (>24 h) β daily Git commits and S3 versioning are sufficient.
%%{init: {"theme": "base", "themeVariables": {"primaryColor": "#e8f5e9", "primaryTextColor": "#2e7d32", "lineColor": "#4caf50", "secondaryColor": "#fff3e0", "tertiaryColor": "#e3f2fd"}}}%%
mindmap
root)π Hack23 Homepage Stack(
(π Web Platform)
π HTML5
β° EOL: None (W3C living standard)
π¨ CSS3
β° EOL: None (W3C living standard)
π Schema.org JSON-LD
β° EOL: None (community standard)
π€ Google Fonts
β° EOL: External CDN; SRI planned
(βοΈ Hosting & Delivery)
π¦ AWS S3
β° EOL: AWS GA service; no announced EOL
π AWS CloudFront
β° EOL: AWS GA service; no announced EOL
π AWS Route53
β° EOL: AWS GA service; no announced EOL
π AWS ACM (TLS 1.3)
β° EOL: Tied to TLS protocol lifecycle
π GitHub Pages (DR)
β° EOL: GitHub-managed
(π¨ Build & Validation Tooling)
β Node.js (LTS baseline + current-version compatibility testing)
β° Lifecycle: Node release schedule
π LTS rotation tracked annually; selected workflows may also use newer major releases (e.g., v24/v25) for forward-compatibility validation
π¦ npm + npx
β° Bundled with Node.js
βοΈ GitHub Actions
β° EOL: GitHub-managed; SHA-pinned actions
π‘οΈ StepSecurity Harden Runner
β° EOL: Active OSS, monthly releases
π OWASP ZAP
β° EOL: Active OSS, semi-annual major releases
π‘ Lighthouse CI
β° EOL: Google-maintained
β
HTMLHint, html5validator, Linkinator
β° EOL: Active OSS
ποΈ dra1ex/minify-action
β° EOL: SHA-pinned action
π Anchore Syft (SBOM)
β° EOL: Anchore-maintained OSS
(π€ AI & DevSecOps Tooling)
π€ GitHub Copilot
β° EOL: GitHub-managed product
π 58 Copilot Skills
β° EOL: Repo-managed
π€ 8 Custom Agents
β° EOL: Repo-managed
π MCP Servers (github, filesystem, git, memory, sequential-thinking, playwright, brave-search, aws-knowledge)
β° EOL: Per-server upstream lifecycle
| Component | Current | EOL Risk | Mitigation |
|---|---|---|---|
| HTML5 | Living standard | None | W3C HTML Living Standard is perpetually maintained |
| CSS3 / CSS Modules | Living standard | None | W3C CSS WG; we use widely-supported, baseline features |
| ECMAScript (used in inline scripts) | Baseline (ES2015+) | None | Minimal JS; conservative feature set |
| Schema.org JSON-LD | Living vocabulary | None | Community-maintained; backward-compatible |
| OpenGraph / Twitter Cards | De facto standard | None | Stable for >10 years |
RTL CSS for _ar, _he |
Baseline support | None | All evergreen browsers support dir="rtl" |
| Component | Current Version Source | LTS Strategy | EOL Trigger | Action Plan |
|---|---|---|---|---|
| Node.js | .github/workflows/copilot-setup-steps.yml + actions/setup-node@v6.4.0 |
Active LTS | Active LTS goes EOL per nodejs.org/en/about/previous-releases | Bump to next LTS within 60 days of new LTS GA; test all workflows on PR |
| GitHub Actions runners | ubuntu-latest |
GitHub-managed | GitHub deprecation notice | Track GitHub Actions changelog; pin to specific Ubuntu LTS if instability detected |
| StepSecurity Harden Runner | SHA-pinned (v2.19.0 as of 2026-04) |
Latest stable | Project EOL | Dependabot tracks; review monthly |
OWASP ZAP (ghcr.io/zaproxy/zaproxy:stable) |
:stable tag |
Stable channel | OWASP ZAP project EOL | Migrate to successor scanner if announced |
| Lighthouse CI | treosh/lighthouse-ci-action |
Latest stable | Action archived | Pin to last working SHA; evaluate alternatives (e.g., chrome-launcher direct) |
| HTMLHint | npm latest | Latest stable | Project archived | Replace with htmlvalidate or custom validator |
| html5validator | PyPI | Latest stable | Project archived | Switch to W3C Validator API directly |
| Linkinator | npm latest | Latest stable | Project archived | Replace with lychee or markdown-link-check |
Minify Action (dra1ex/minify-action) |
SHA-pinned | Latest stable | Action archived | Pin to last good SHA; replace with htmlnano + cssnano script |
| anchore/sbom-action (Syft) | SHA-pinned | Latest stable | Project EOL | Anchore Syft is actively maintained; track Anchore announcements |
| actions/attest-build-provenance, attest-sbom | SHA-pinned | GitHub-maintained | GitHub deprecation | Track GitHub Actions security blog |
| Component | Current | EOL Risk | Action Plan |
|---|---|---|---|
| AWS S3 (private bucket, versioning, OAC) | GA service | Very Low | AWS GA services have no published EOL; monitor AWS What's New |
| AWS CloudFront (TLS 1.3, security-headers policy, AWS Shield Standard) | GA service | Very Low | Migrate cache policy if AWS deprecates legacy config formats |
| AWS Route53 (hosted zone, health-checks, DR failover) | GA service | Very Low | None required |
| AWS Certificate Manager (TLS certs auto-renewed) | GA service | Tied to TLS | Move to TLS 1.3-only when CloudFront drops TLS 1.2 baseline |
| GitHub Pages (DR origin) | GA product | Low | Keep gh-pages branch in sync via release.yml |
| Google Fonts CDN | External CDN | Medium | Plan B: self-host fonts under /fonts/ with SRI hashes |
| Component | EOL Risk | Action Plan |
|---|---|---|
| GitHub Copilot + Coding Agent | Product change | Track GitHub Copilot changelog; documentation in repo decoupled from product |
58 Skills in .github/skills/ |
None (repo-owned) | Skill index reviewed quarterly |
8 Custom Agents in .github/agents/ |
None (repo-owned) | Agent definitions reviewed quarterly |
| MCP servers | Per-server upstream | .github/copilot-mcp.json SHA-pin where supported; replace if upstream goes silent |
A formal EOL review is triggered by any of the following:
| Trigger | Detected By | Response Time | Action |
|---|---|---|---|
| Node.js LTS reaches end of "Active LTS" phase | Dependabot / CI failure | Within 60 days | Bump to next LTS in setup-node@vX action node-version input |
| GitHub Action archived/deprecated | Dependabot alert | Within 30 days | Replace with maintained equivalent; SHA-pin |
| AWS service deprecation notice | AWS Health Dashboard | Per AWS deadline | Migrate per AWS guidance; rehearse in staging |
| Critical CVE (CVSS β₯ 9.0) in build tooling | OpenSSF Scorecard / Dependabot | Within 7 days (per Vulnerability Management SLA) | Patch, regenerate SLSA attestation, redeploy |
| Browser baseline drops critical CSS feature | Lighthouse / manual audit | Within 90 days | Refactor styles.css; bump version |
| Web standard officially deprecated (e.g., OpenGraph successor) | W3C / industry signal | Per spec timeline | Add successor metadata alongside legacy |
| GitHub Pages discontinued (DR origin) | GitHub announcement | Within 30 days | Switch DR to AWS S3 second region (e.g., eu-west-1) |
| Hack23 brand or product strategy change | Internal decision | Per change-management process | Re-architect or sunset; see Sunset Procedure below |
In the unlikely event the corporate website is retired (e.g., company dissolution or full migration to a new platform), the following steps are executed:
- ποΈ Pre-announcement (90 days) β Update homepage banner; notify partners and clients via
info@hack23.com - ποΈ Archive (60 days) β Snapshot of repository tagged
archive/final; releasevN.0.0-finalwith full SLSA Level 3 attestation; publish final SBOM - π DNS migration (30 days) β Either redirect
hack23.comto successor URL or set Route53 to a static "Retired" page - βοΈ Infrastructure decommission (Day 0) β Disable CloudFront distribution (keep config exportable); empty and version-lock S3 bucket; archive CloudTrail logs to Glacier per Backup & Recovery Policy
- π GitHub repo archival β Mark repository read-only / archived on GitHub; preserve issues, PRs, and release artefacts indefinitely (public good)
- π Compliance closure β Update Risk Register, Compliance Checklist; file final CRA conformity statement
If the website outgrows the static-only model (e.g., interactive client area, dynamic dashboards), evolution paths and EOL implications are pre-planned:
| Evolution Scenario | New Components | EOL Implications | Migration Window |
|---|---|---|---|
| + Contact form (server-less) | API Gateway + Lambda + SES | Lambda runtime (Node.js) lifecycle now in scope | Plan in line with Node LTS schedule |
| + Newsletter / CMS | DynamoDB / S3 + Lambda | Add data classification & retention | Update DATA_MODEL.md, BCPPlan.md |
| + Search | OpenSearch Serverless or Algolia | Vendor lock-in risk | Document exit plan |
| + Authentication (client area) | AWS Cognito or Auth0 | Federation lifecycle | Add to Access Control Policy review |
| + Internationalisation framework | Static-site generator (Astro / Eleventy / Hugo) | Adds toolchain EOL surface | Pilot in branch; budget refactor |
Each evolution requires updates to: ARCHITECTURE.md, SECURITY_ARCHITECTURE.md, THREAT_MODEL.md, BCPPlan.md, FinancialSecurityPlan.md, and this document.
| Activity | Cadence | Owner | Evidence |
|---|---|---|---|
| Dependency / Action review | Weekly (Dependabot) | CEO | Dependabot PRs |
| Stack EOL review | Quarterly | CEO | Updated tables in this document |
| Node LTS bump | At each new LTS | CEO | setup-node action input bumped, CI green |
| AWS deprecation watch | Continuous (AWS Health) | CEO | AWS Health Dashboard subscription |
| Browser baseline review | Annual | CEO | Lighthouse + caniuse audit |
| Sunset rehearsal | Documented; not rehearsed (low value) | CEO | This document |
| ISMS Policy | Relevance |
|---|---|
| Secure Development Policy | Lifecycle documentation requirement |
| Vulnerability Management | "Living on the Edge" patch strategy; CVSS-driven SLAs |
| Open Source Policy | Action and dependency licensing & maintenance |
| Change Management | Tooling upgrade and migration procedure |
| Backup & Recovery Policy | Sunset archival and Git-based perpetual backup |
| Business Continuity Plan | DR fallback during migration / sunset |
