Introduction

progress.report

A progress tracking platform for developers, agencies, and consultants. Publish project updates and give your clients a live progress page — no logins, no dashboards, no email threads.

You maintain a simple progress.jsonc checklist alongside your code. Run npx progress-report publish whenever something changes. Your client visits a URL and sees exactly where things stand.

The page is branded with your client's colors, shows completion percentages per phase, and highlights anything that needs their attention — automatically.

How it works

You create an account and receive an API key
Each client gets a unique 20-character ID and a shareable URL
You keep a checklist file (.jsonc) in your project
npx progress-report publish pushes the latest state to our API
Your client visits view.progress.report/{developer}/{project}/{view} — always up to date

The viewer applies your custom theme colors and shows your client's branding — phases, tasks, subtasks, completion bars, and any items that need their action.

Why progress.report

Built for teams that ship

Client communication is broken. Status emails go unanswered. Slack threads lose context. Spreadsheets go stale. progress.report replaces all of it with a single live URL your client can bookmark.

⚡

Zero-friction publishing

One command from your terminal. No dashboard to open, no form to fill. Your checklist file is the source of truth — everything else is automatic.

🎨

Fully white-labeled

Each progress page carries your client's brand colors, project name, and tagline. Clients see their project — not your tooling.

📊

Three dimensions of progress

Build milestones, unit test coverage, and compliance certifications — all on one page, in separate tabs. No other tool shows all three.

🔔

Client action surfacing

Mark any task you and it surfaces at the top of the page with an orange badge. Clients can't miss what they need to do — and you stop chasing them.

📋

Compliance built in

SOC 2, HIPAA, PCI-DSS, ISO 27001, and GDPR templates are ready to use. Publish your certification progress alongside your build — auditors and clients see the same live data.

🔌

Automation-first API

Every operation is available via REST. Publish from GitHub Actions on every merge. Integrate test results directly into the viewer. Build your own tooling on top.

How it compares

Feature	progress.report	Notion / Confluence	Jira / Linear
Client-facing progress URL	✓ Built-in	Manual export	—
Publish from CLI / CI	✓ One command	—	—
Custom branding per client	✓ Per project	Manual	—
Unit test tab	✓ Native	—	—
Compliance tracking tab	✓ 5 frameworks	Manual docs	—
Client action badges	✓ Automatic	—	Assignee only
No client login required	✓ Public URL	Requires invite	Requires account
Developer workflow	✓ Git-native	Browser only	✓

Use Cases

Who uses progress.report

Any team that builds software for clients — or that needs to show progress to stakeholders — can use progress.report out of the box.

Web & Digital Agencies

Replace status meetings

Publish after every sprint. Your client always knows where their project stands without a single email or meeting. Use custom themes to match each client's brand.

Freelancers & Contractors

Look like a bigger operation

A polished live progress URL sets you apart. Clients see professional milestone tracking instead of ad-hoc text updates. The free tier handles up to 3 active projects.

DevOps & Platform Teams

Show engineering impact

Publish build and test results from CI on every merge. Stakeholders see real-time test coverage and release readiness — not a spreadsheet that's two weeks out of date.

Compliance-Driven Engineering

Audit-ready from day one

Track SOC 2, HIPAA, ISO 27001, or PCI-DSS certifications alongside your build. Share a single URL with your auditor. No separate spreadsheet, no copy-paste.

Product & Consulting Firms

Multi-client portfolio management

Manage dozens of clients from one developer account. Each gets a unique branded URL. Publish updates to multiple projects with separate config files in a single monorepo.

Internal Platform Teams

Internal stakeholder transparency

Give executives and product managers a live view of infra migrations, platform upgrades, and internal tooling projects — without adding them to Jira.

Ecosystem

Integrations & Ecosystem Vision

progress.report is not a compliance tool. It is not a test runner. It is not a CI platform. It is the unified progress layer — the glass panel that reads from the best specialized tools in each domain and surfaces the combined output as a single live page for clients, stakeholders, and auditors.

The philosophy: aggregate, don't replace

Tools like Vanta automate evidence collection and continuously monitor your security posture. Jest verifies your code does what it claims. GitHub Actions proves your builds pass. SonarQube measures technical debt. Each is best-in-class at one thing.

progress.report doesn't try to do any of those things better — it reads their output and answers the question your client actually asks: "Is the project on track? What needs my attention? When will we be done?" One URL. Always current. No login.

The long-term goal is for every progression type — build milestones, test coverage, compliance certification, code quality scores, security posture, accessibility audits — to feed automatically into the viewer from the tools that measure them best.

Compliance & Security Posture

Vanta Planned

Read compliance test results and evidence collection status via Vanta API. Map passing/failing controls directly to compliance tab phases.

Drata Planned

Sync automated control tests from Drata's continuous monitoring into the compliance progression tab.

Secureframe Planned

Pull remediation checklists and audit readiness scores from Secureframe into the compliance tab.

AWS Security Hub Planned

Ingest Security Hub findings and compliance standards scores (CIS, PCI-DSS, FSBP) as compliance phase tasks.

Manual JSONC Live now

Author your compliance checklist directly as a .jsonc file. Use the built-in SOC 2, HIPAA, ISO 27001, PCI-DSS, and GDPR templates.

How Vanta integration will work: Vanta exposes a read-only REST API that returns the status of every automated test for each control. A progress.report connector will poll this API (or accept a webhook), map each control to a phase task, and publish the result automatically — turning Vanta's internal dashboard into a client-facing progress URL with no manual effort.

Unit & Integration Testing

Jest Partial

Pass --json --outputFile=results.json output to the CLI via --results flag. Full native overlay planned.

Vitest Planned

Vitest JSON reporter output mapped directly to test phase tasks. Native adapter in development.

Pytest Planned

Read pytest --json-report output and map test modules to phases, individual tests to tasks.

Playwright / Cypress Planned

E2E test suites mapped as a separate category tab — show clients that user flows are verified end-to-end.

Go test Planned

Parse go test -json output. Package-level grouping becomes phases; individual tests become tasks.

JUnit XML Planned

Universal JUnit XML format — works with Java, Kotlin, Ruby, .NET, and any CI system that emits standard XML test reports.

Manual JSONC spec Live now

Define your test spec as a .jsonc file. Set testSpec in config and every publish includes the Unit Tests tab automatically.

CI/CD & Build Pipelines

GitHub Actions Live now

Run npx progress-report publish as a step. Full workflow example in the CI/CD section below.

GitLab CI Live now

Works today via the CLI. Add a deploy stage that publishes on merge to main.

GitHub App Planned

Install once — no workflow YAML. The app publishes automatically on every push, reads Actions run results, and maps them to your progress page.

CircleCI Live now

Use the CLI in any run: step. CircleCI orb planned for one-line integration.

Vercel / Netlify Planned

Deploy hooks that publish a "Deployed" milestone on successful production deployments — automated release tracking.

Jenkins Live now

Call the REST API directly from a pipeline step or shell script. No Node.js required — plain curl works.

Code Quality & Security Scanning

SonarQube / SonarCloud Planned

Pull quality gate status, coverage %, code smells, and security hotspots as a dedicated Code Quality tab.

Snyk Planned

Map open vulnerabilities by severity as phase tasks. Show clients your dependency security posture with zero manual effort.

Dependabot / Renovate Planned

Surface open dependency PRs as actionable tasks. Count of outstanding upgrades visible in the Build tab.

Lighthouse / axe Planned

Web performance and accessibility audit scores mapped to a dedicated Accessibility & Performance tab.

OWASP ZAP Planned

Dynamic application security test (DAST) results as security phase tasks — alerts, warnings, and informational findings.

What works today

You don't need to wait for native integrations. Every tool above produces structured output — JSON, XML, or text — that you can map to a progress.report payload today using a small script. The architecture is already designed for it.

The pattern is always the same:

Run your tool and capture its structured output
Write a script that maps tool output → { phases: [...], categories: {...} }
POST to https://api.progress.report/api/publish with your API key

bash — example: Jest results → progress.report

# Run Jest, output JSON
npx jest --json --outputFile=jest-results.json

# Publish checklist + test results together
npx progress-report publish

bash — example: Vanta API → progress.report (concept)

# Pull Vanta control statuses (read-only API key)
curl https://api.vanta.com/v1/controls?framework=soc2 \
  -H "Authorization: Bearer $VANTA_API_KEY" \
  > vanta-controls.json

# Map Vanta output → compliance phases and POST to progress.report
# (progress.report Vanta adapter — coming soon)
node scripts/vanta-to-progress.mjs --input vanta-controls.json

Build your own adapter today. The publish API accepts any valid phases/categories payload. If you build an adapter for a popular tool and want to share it, send it to hello@progress.report — we'll publish it as an official integration.

Progression types on the roadmap

Beyond what exists today, these are the distinct types of progress we plan to support as first-class tabs in the viewer:

Tab / Category	Source tools	Status
Build — project milestones	Manual JSONC, Jira, Linear, GitHub Issues	Live
Unit Tests — test suite results	Manual JSONC, Jest (partial), Vitest, Pytest, JUnit XML	Live / Planned
Compliance — certification progress	Manual JSONC, Vanta, Drata, Secureframe, AWS Security Hub	Live / Planned
E2E Tests — user flow verification	Playwright, Cypress, Selenium	Planned
Code Quality — maintainability & coverage	SonarQube, SonarCloud, Codecov	Planned
Security — vulnerability posture	Snyk, OWASP ZAP, Dependabot, GitHub Advanced Security	Planned
Performance — speed & accessibility	Lighthouse, axe-core, WebPageTest	Planned
Deployments — release history	Vercel, Netlify, Heroku, AWS CodeDeploy	Planned
Custom — any domain-specific metric	Any tool via the publish API	Live

Pricing

Simple, transparent pricing

Start free. Upgrade when you grow. No per-seat fees, no surprise overages.

Free

$0 / month

Everything you need to get started. No credit card required.

Up to 3 active clients
All viewer tabs (Build, Tests, Compliance)
Custom branding & themes per client
Full CLI access
REST API access
Community support

Get started free →

Quickstart

From zero to a live client progress page in under five minutes.

Step 1 — Create your developer account

Send one request. Your API key is returned immediately and shown only once — save it.

bash

curl -X POST https://api.progress.report/api/accounts \
  -H "Content-Type: application/json" \
  -d '{"email": "you@yourcompany.com"}'

json — response

{
  "accountId": "Kx9mPqR2nYvBt7cWdLa3",
  "email":     "you@yourcompany.com",
  "apiKey":    "pr_live_a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "plan":      "free",
  "note":      "Save your API key — it will not be shown again."
}

Store your API key in a password manager or secrets vault. It cannot be recovered — only rotated.

Step 2 — Set up your project

In your project directory, run the interactive setup wizard:

bash

npx progress-report init

The wizard prompts for your API key, developer slug, project name, view name, brand colors, and checklist filename. It creates:

progress.config.json — your config (contains API key — add to .gitignore)
progress.jsonc — a starter checklist template

Your client's progress page URL is determined by the slugs you choose:

url

https://view.progress.report/{developer}/{project}/{view}

Share that URL with your client right away. It shows a placeholder until you publish.

Step 3 — Edit your checklist and publish

Open progress.jsonc and define your phases. Then:

bash

npx progress-report publish

output

── progress.report ────────────────────────
  View     : acme/website-redesign/build
  Artifact : checklist (progression)
  Name     : Acme Corp Website Redesign
  Version  : 0.1.0
  Phases   : 3
  Progress : 2/8 done (1 in-progress, 1 need-you, 0 blocked)
  Publishing checklist… ✓

  Live at: https://view.progress.report/acme/website-redesign/build
  v0.1.0 · 2026-04-08

Publish again any time something changes. Your client's URL always reflects the latest state.

CLI

CLI Guide

The progress-report CLI is the primary way to publish updates. No global install required — use npx.

init

Set up a new project. Run once per project directory.

bash

npx progress-report init

Creates progress.config.json and a starter progress.jsonc template.

publish

Read your checklist and push it to the API.

bash

# Basic publish
npx progress-report publish

# Auto-increment patch version (1.0.0 → 1.0.1)
npx progress-report publish --bump

# Set an explicit version
npx progress-report publish --version 2.0

# Preview payload without making the API call
npx progress-report publish --dry-run

# Use a specific config file (multiple clients per repo)
npx progress-report publish --config ./client-acme/progress.config.json

Flag	Description
`--bump`	Increment patch version before publishing (1.0.0 → 1.0.1)
`--version <v>`	Set an explicit version string
`--dry-run`	Show what would be published without calling the API
`--config <path>`	Path to a specific `progress.config.json`

status

Fetch and display the currently published progress in your terminal.

bash

npx progress-report status

output

── progress.report · acme/website-redesign/build ──────────
  Name     : Acme Corp Website Redesign
  Version  : 0.3.0
  Updated  : 2026-04-08

  checklist (progression) — 4/9 items done
  ● Discovery  [Complete]
      ●  Requirements workshop
      ●  Content audit
  ◑ Design  [In Progress]
      ●  Wireframes
      ◑  Visual design
      ▲  Client approval
  ○ Development  [Pending]
      ○  Frontend build
      ○  Go live

  View: https://view.progress.report/acme/website-redesign/build

progress.config.json

Created by init. Lives in your project root. Add to .gitignore — it contains your API key.

json

{
  "developer":  "acme",
  "project":    "website-redesign",
  "view":       "build",
  "artifact":   "checklist",
  "apiKey":     "pr_live_...",
  "checklist":  "./progress.jsonc",
  "client": {
    "name":    "Acme Corp Website Redesign",
    "company": "Acme Corp",
    "tagline": "Website Redesign — Build Progress",
    "footer":  "Acme Corp · progress.report"
  },
  "theme": {
    "primary":      "#1D4ED8",
    "primaryLight": "#3B82F6",
    "accent":       "#10B981"
  }
}

Field	Required	Description
`developer`	Yes	Your account / org slug (e.g. `"acme"`)
`project`	Yes	Project slug (e.g. `"website-redesign"`)
`view`	Yes	View slug — what gets shared with the client (e.g. `"build"`, `"compliance"`)
`artifact`	Yes	Artifact slug — this progression's role within the view (e.g. `"checklist"`)
`type`	No	Artifact type: `progression` (default), `testspec`, `compliance`, `custom`
`apiKey`	Yes	Your developer API key (`pr_live_...`)
`endpoint`	No	API base URL — defaults to `https://api.progress.report`
`checklist`	Yes	Path to your `.jsonc` progression checklist file
`testSpec`	No	Path to a `.jsonc` test spec — auto-published as a separate `tests` artifact in the same view
`client`	No	Branding shown on the progress page
`theme`	No	Hex color overrides for the progress page

Multiple clients in one repo

Keep separate config files per client and use --config:

bash

npx progress-report publish --config ./clients/acme/progress.config.json
npx progress-report publish --config ./clients/bravo/progress.config.json

Checklist Format

Checklist Schema

The progress.jsonc file is the only thing you edit regularly. JSONC (JSON with Comments) is fully supported.

progress.jsonc

{
  // Status values: done | in_progress | you | pending | blocked

  "project":   "Acme Corp Website Redesign",
  "version":   "0.3.0",
  "updatedAt": "2026-04-04",  // auto-stamped on every publish

  "phases": [
    {
      "id":     "1",
      "name":   "Discovery",
      "status": "done",
      "tasks": [
        {
          "id":       "1.1",
          "name":     "Requirements workshop",
          "status":   "done",
          "subtasks": [
            { "id": "1.1.1", "name": "Stakeholder interviews", "status": "done" },
            { "id": "1.1.2", "name": "Technical requirements doc", "status": "done" }
          ]
        }
      ]
    },
    {
      "id":     "2",
      "name":   "Design",
      "status": "in_progress",
      "tasks": [
        { "id": "2.1", "name": "Wireframes",      "status": "done",        "subtasks": [] },
        { "id": "2.2", "name": "Visual design",  "status": "in_progress", "subtasks": [] },
        { "id": "2.3", "name": "Client approval", "status": "you",         "subtasks": [] }
      ]
    }
  ]
}

Status values

doneComplete ✓

in_progressCurrently active

youClient action needed

pendingNot started

blockedWaiting on dep.

you is the most powerful status — it shows the client exactly what they need to do. Items marked you get a prominent orange badge and appear in the action-needed count at the top of the page.

Theming

Set colors in progress.config.json under the theme key. All values are CSS hex colors. The most impactful fields:

Key	Default	Controls
`primary`	`#1D4ED8`	Header background, in-progress bars, active phase badge
`primaryLight`	`#3B82F6`	Stats bar below header
`accent`	`#10B981`	Done status, overall progress bar fill
`bg`	`#F1F5F9`	Page background
`card`	`#FFFFFF`	Phase card background

All theme keys map directly to CSS custom properties. Adding a new key automatically wires it up — no viewer changes required.

Developer Portal

dev.progress.report is your dashboard for managing clients, editing themes, and accessing your API key — no CLI required.

Signing in

Enter your API key (pr_live_...) on the Sign In tab. Your key is stored in localStorage and never sent anywhere except the API.

Dashboard

The dashboard shows all your client projects as tiles. Each tile displays:

Project name and client ID
Overall progress percentage
Color swatches from the active theme
Direct link to the live viewer page

Color palette editor

Click any tile to open the client detail view. The palette editor lets you set 11 CSS custom properties — primary, accent, background, card, text, and more — with a live mini-preview that updates as you type. Saving applies the theme to the live viewer immediately without republishing your checklist.

Creating an account without the CLI

Use the Create Account tab on the portal sign-in screen. Enter your email and your API key is returned once — copy it immediately.

Progression Framework

Views & Artifacts

Every progress page is a view — a stable URL you share with a client. A view contains one or more artifacts, each an independently publishable progression. The viewer renders artifacts as tabs; the framework doesn't know or care about "tabs."

URL structure

https://view.progress.report/developer/project/view/artifact

  developer  — your account or org slug
  project    — the project or engagement slug
  view       — the shareable client-facing context (e.g. "build", "compliance")
  artifact   — deep-link to a specific artifact tab (optional)

Navigating to the 3-segment URL loads the full view with all artifact tabs visible. The 4-segment URL deep-links directly to a specific artifact.

// Share with client — shows all tabs
https://view.progress.report/acme/website-redesign/build

// Deep-link to a specific artifact
https://view.progress.report/acme/website-redesign/build/checklist
https://view.progress.report/acme/website-redesign/build/tests
https://view.progress.report/acme/website-redesign/compliance/soc2

Artifact types

Every artifact has a type that controls how the viewer labels statuses. All types use the same underlying phases → tasks → subtasks data structure.

Type	Done label	Blocked label	Pending label	Use for
`progression`	Done	Blocked	Pending	Build milestones, general checklists
`testspec`	Pass	Fail	Not Run	Unit tests, integration tests, E2E
`compliance`	Compliant	Non-Compliant	Not Assessed	SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR
`custom`	Done	Blocked	Pending	Any custom process or workflow

Independent publishing

Each artifact is published separately. Different tools, pipelines, or team members can own different artifacts within the same view — they never overwrite each other.

json — progress.config.json (checklist artifact)

{
  "developer": "acme",
  "project":   "website-redesign",
  "view":       "build",
  "artifact":   "checklist",
  "type":       "progression",
  "checklist":  "./progress.jsonc",
  // testSpec publishes automatically as the "tests" artifact in the same view
  "testSpec":   "./testspec.jsonc"
}

When you run npx progress-report publish with a config that has both checklist and testSpec, two artifacts are published to the same view:

  Publishing checklist… ✓
  Publishing tests…     ✓

  Live at: https://view.progress.report/acme/website-redesign/build

Each artifact can also be published from a completely separate config — for example, a CI pipeline that only updates the tests artifact without touching the checklist.

Ownership is per view. The first account to publish to acme/website-redesign/build claims that view. All artifacts within it must come from the same account. Future releases will support guest contributors.

API Reference

Base URL: https://api.progress.report

Authenticated endpoints require one of:

Authorization: Bearer pr_live_... header
X-Api-Key: pr_live_... header

The GET /api/r/:developer/:project/:view endpoint is public — no auth required. Everything else requires your API key.

POST /api/accounts PUBLIC

Create a developer account. Returns your API key — shown once.

Request body

json

{ "email": "you@example.com" }

Response 201

json

{
  "accountId": "Kx9mPqR2nYvBt7cWdLa3",
  "email":     "you@example.com",
  "apiKey":    "pr_live_a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "plan":      "free",
  "note":      "Save your API key — it will not be shown again."
}

GET /api/accounts/me AUTH REQUIRED

Return the authenticated account's details. Useful for verifying an API key.

Response 200

json

{
  "accountId":    "Kx9mPqR2nYvBt7cWdLa3",
  "email":        "you@example.com",
  "plan":         "free",
  "apiKeyPrefix": "pr_live_a3b4"
}

GET /api/clients AUTH REQUIRED

List all views belonging to your account.

Response 200

json

{
  "views": [
    {
      "developer": "acme",
      "project":   "website-redesign",
      "view":      "build",
      "name":      "Acme Corp Website Redesign",
      "url":       "https://view.progress.report/acme/website-redesign/build"
    }
  ]
}

PATCH /api/clients/:developer/:project/:view AUTH REQUIRED

Update a view's display name, branding, and/or theme. Theme changes are applied to the live viewer immediately — no republish required.

Request body

json

{
  "name":   "Acme Corp Website Redesign v2",  // optional
  "client": { "company": "Acme Corp" },           // optional
  "theme":  { "primary": "#005691" }              // optional
}

Response 200

json

{
  "ok":        true,
  "developer": "acme",
  "project":   "website-redesign",
  "view":      "build",
  "url":       "https://view.progress.report/acme/website-redesign/build"
}

GET /api/r/:developer/:project/:view PUBLIC

Load a complete view — returns metadata and all published artifacts. This is the primary endpoint used by the viewer.

Response 200

{
  "developer":  "acme",
  "project":    "website-redesign",
  "view":        "build",
  "name":        "Acme Corp Website Redesign",
  "client":      { /* branding */ },
  "theme":       { /* colors */ },
  "artifacts": [
    {
      "artifact":   "checklist",
      "type":       "progression",
      "name":       "Build Progress",
      "version":    "0.3.0",
      "updatedAt":  "2026-04-07",
      "phases":     [ /* phases → tasks → subtasks */ ]
    },
    {
      "artifact":   "tests",
      "type":       "testspec",
      "name":       "Unit Tests",
      "phases":     [ /* suites → test cases */ ]
    }
  ]
}

GET /api/r/:developer/:project/:view/:artifact PUBLIC

Load a single artifact record directly.

POST /api/publish AUTH REQUIRED

Publish an artifact to a view. Creates the view on first publish; overwrites the artifact on subsequent publishes. Each artifact within a view appears as a tab in the viewer.

Request body

json

{
  "developer":  "acme",                            // required
  "project":    "website-redesign",               // required
  "view":        "build",                          // required
  "artifact":    "checklist",                      // required
  "type":        "progression",                    // optional — defaults to "progression"
  "name":        "Acme Corp Website Redesign",    // optional — tab display label
  "version":     "0.3.0",                          // optional
  "updatedAt":   "2026-04-07",                     // optional — defaults to today
  "phases": [                                            // required
    {
      "id": "1", "name": "Discovery", "status": "done",
      "tasks": [
        { "id": "1.1", "name": "Requirements", "status": "done", "subtasks": [] }
      ]
    }
  ],
  "client": { "name": "...", "company": "...", "tagline": "..." },  // optional
  "theme":  { "primary": "#1D4ED8", "accent": "#10B981" }           // optional
}

Response 200

json

{
  "ok":          true,
  "developer":   "acme",
  "project":     "website-redesign",
  "view":         "build",
  "artifact":     "checklist",
  "type":         "progression",
  "version":      "0.3.0",
  "url":          "https://view.progress.report/acme/website-redesign/build",
  "updatedAt":    "2026-04-07"
}

Error responses

All errors return {"error": "description"} with an appropriate HTTP status.

Status	Meaning
`400`	Bad request — missing required field or invalid format
`401`	Missing or invalid API key
`403`	View belongs to a different account
`404`	View or artifact not found
`409`	Conflict — email already taken
`500`	Server error

Compliance Models

Compliance Progressions

Track certification work — SOC 2, HIPAA, PCI-DSS, ISO 27001, GDPR — the same way you track a build: phases, tasks, and live status for clients and auditors.

Each compliance model below is a pre-built progression template. Every phase maps to a real control family in the framework, and every task maps to a specific requirement. Publish as the Compliance tab alongside your build and unit test tabs.

All items start as pending. Mark tasks in_progress as you implement them and done once evidence is collected. Use you for items that require a client or auditor action. The viewer shows this live — no separate audit spreadsheet needed.

CLI (planned)

bash

# Initialize a project with a compliance template pre-loaded
npx progress-report init --template soc2
npx progress-report init --template hipaa
npx progress-report init --template pci-dss
npx progress-report init --template iso27001
npx progress-report init --template gdpr

# Stack multiple frameworks
npx progress-report init --template hipaa --template soc2

SOC 2 Type II

Framework: AICPA Trust Services Criteria (TSC)
Template ID: soc2-type2
Who needs it: SaaS companies, cloud services, any org storing or processing customer data. Required by enterprise procurement in most B2B sales cycles.

SOC 2 Type II covers a 12-month observation window — controls must be operating continuously, not just implemented. Start the clock as early as possible. Type I (point-in-time) can be issued first while Type II evidence accumulates.

Phase	Control Family	What it proves
`CC1`	Control Environment	Your org has governance, ethics policy, and accountability structures that support security
`CC2`	Communication & Information	Policies are documented, published, and communicated — staff and customers know what the rules are
`CC6`	Logical & Physical Access	Only the right people access systems, via MFA, least-privilege, and encryption (AES-256 / TLS 1.2+)
`CC7`	System Operations	You detect, respond to, and recover from incidents — scanning, alerting, and runbooks are tested
`CC8`	Change Management	Every production change is reviewed, linked, and reversible — no cowboy deploys
`CC9`	Risk Mitigation	You've formally assessed risk, evaluated vendors, and have a BCP if things go wrong
`A1`	Availability	SLA is defined, DR is tested — customers can rely on your uptime commitments
`AUDIT`	Audit Readiness	Evidence is organized, auditor is engaged, and the Type II report is issued at the end

Key requirements to know

CC6.1 — MFA on all production system access. No exceptions for admins.
CC6.7 — Encryption at rest (AES-256) and in transit (TLS 1.2+) is non-negotiable.
CC7.4 — Tabletop exercise: you must actually run the incident response playbook, not just write it.
CC8.1 — Code review before every production deploy. PR approval history is the evidence.
AUDIT.2 — The 12-month window starts here. Don't wait until you're "ready" — start collecting evidence now.

HIPAA

Framework: U.S. Health Insurance Portability and Accountability Act (2026 modernized rules)
Template ID: hipaa-2026
Who needs it: Healthcare SaaS, apps handling PHI or ePHI, business associates of covered entities (hospitals, clinics, insurers). Required before any healthcare client can share patient data with you.

Under the 2026 HIPAA modernization, encryption at rest is now Required (not Addressable). AES-256 is mandatory — not a recommendation. Breach notification to covered entities is reduced to 24 hours (down from 60 days for initial notice).

Phase	Safeguard	What it covers
`H1`	Administrative	Security officer, workforce training, BAAs with every vendor, annual risk assessment
`H2`	Physical	Facility access, workstation controls, NIST SP 800-88 compliant device disposal
`H3`	Technical	Unique user IDs, MFA (mandatory for admin), session timeout, AES-256 at rest, TLS in transit, immutable audit logs with actor/action/rationale, SHA-256 integrity hashing
`H4`	Breach Notification	Anomaly detection active; 24-hour notice to covered entity; HHS report within 60 days
`H5`	Patient Rights (DSAR)	Access, deletion, and portability workflows; Privacy Practices notice published

Key requirements to know

H1.4 — Business Associate Agreement required with every vendor touching PHI — cloud providers, analytics tools, email services.
H3.4 — AES-256 at rest is now Required, not Addressable under 2026 rules. "We assessed it as unnecessary" is no longer a valid response.
H3.6 — Audit logs must be immutable and include actor, action, resource, timestamp, and rationale. Append-only storage (e.g. Cloud Logging, Firestore with no delete) satisfies this.
H4.2 — 24-hour breach notification to the covered entity (hospital/clinic). Automate the alert; don't rely on a human noticing.
H5.1 — DSAR workflow must be functional before go-live, not a backlog item.

PCI-DSS v4

Framework: Payment Card Industry Data Security Standard v4.0
Template ID: pci-dss-v4
Who needs it: Any service that stores, processes, or transmits cardholder data (CHD). Required by Visa, Mastercard, and all major card brands. Non-compliance results in fines and loss of card processing ability.

The safest PCI-DSS strategy is scope reduction — if you never touch raw card numbers (use Stripe, Braintree, or another PCI-compliant processor), your compliance surface shrinks dramatically. Only the integration points with the processor remain in scope.

Phase	Requirement area	What it covers
`PCI1`	Network Security	CDE isolation, firewall rules documented and reviewed quarterly, no direct internet path to card data
`PCI2`	Data Protection	PANs masked in logs/UIs (last 4 only), AES-256 at rest, TLS in transit, no CVV2/PIN/full stripe storage
`PCI3`	Vulnerability Management	Anti-malware in CDE, critical patches within 1 month, quarterly internal scans, annual pentest
`PCI4`	Access Control	Unique IDs only (no shared accounts), MFA on all admin access, least-privilege, access revoked within 24h of role change
`PCI5`	Monitoring & Testing	All CDE access logged, logs protected and retained 12 months, daily log review, file integrity monitoring
`PCI6`	Security Policies	Annual policy review, annual security training, QSA engagement for Level 1 merchants

Key requirements to know

PCI2.1 — PANs (card numbers) must be masked everywhere — logs, support tools, admin UIs. Showing more than the last 4 digits is a violation.
PCI2.4 — You may never store CVV2, PIN, or full magnetic stripe data after authorization, even encrypted.
PCI4.1 — Shared accounts in the CDE are a direct violation. Every user must have a unique ID with individual accountability.
PCI5.3 — Daily log review is required. Automate with SIEM alerting; manual review doesn't scale.
PCI3.4 — Annual external penetration test must be conducted by a qualified internal resource or approved third party.

ISO 27001:2022

Framework: Information Security Management System (ISMS) — ISO/IEC 27001:2022
Template ID: iso27001-2022
Who needs it: Enterprise SaaS targeting international customers, organizations in regulated industries, and any company where prospects request a formal ISMS certificate rather than a self-attestation questionnaire.

ISO 27001 is a management system standard, not a checklist. It requires you to establish, operate, monitor, review, maintain, and continually improve an ISMS. The 2022 revision reorganized Annex A from 114 to 93 controls across 4 themes (Organizational, People, Physical, Technological).

Phase	ISMS component	What it covers
`ISO1`	Scope & Context	Organizational context documented, ISMS scope approved, interested parties identified — establishes what's in and out of scope
`ISO2`	Risk Assessment	Asset register, threat/vulnerability assessment, risk register with ratings, risk treatment plan approved by management
`ISO3`	Controls (Annex A)	Access control (A.5.15), cryptography policy (A.8.24), secure dev lifecycle (A.8.25), supplier security (A.5.19–5.22), incident management (A.5.24–5.28), BCP (A.5.29–5.30), Statement of Applicability
`ISO4`	Internal Audit	Audit programme established, first audit conducted, non-conformities documented with corrective action plans
`ISO5`	Certification Audit	UKAS-accredited body selected, Stage 1 (docs) passed, Stage 2 (implementation) passed, certificate issued

Key requirements to know

ISO2.4 + ISO3.7 — The Statement of Applicability (SoA) is the single most important document for the audit. It lists every Annex A control, whether you've applied it, and why (or why not). Start it early.
ISO3.1 (A.5.15) — Access control policy must be implemented and reviewed. Having the policy isn't enough — the auditor will check that it's being followed.
ISO4.2 — You must conduct at least one internal audit before the certification audit. It cannot be done by the same person responsible for the area being audited.
ISO5.1 — Choose a UKAS-accredited (or equivalent national accreditation body) certification body. Non-accredited certificates are not recognized in most enterprise procurement contexts.
ISO5.2 — Stage 1 is a documentation review. Have your ISMS policy, risk register, SoA, and internal audit report complete before scheduling it.

Framework: EU General Data Protection Regulation (Regulation 2016/679)
Template ID: gdpr
Who needs it: Any service with EU users or that processes EU personal data — regardless of where the company is based. Fines up to €20M or 4% of global annual turnover, whichever is higher.

GDPR applies even if your company is not in the EU. If a person in Germany signs up for your app, GDPR applies to that data. The "we're a US company" defense does not work — regulators in Ireland, Germany, and France have issued fines against US companies.

Phase	Area	What it covers
`G1`	Data Mapping	ROPA (Records of Processing Activities, Art. 30), data flows mapped end-to-end, legal basis documented per activity (consent, legitimate interest, contract, legal obligation)
`G2`	Data Subject Rights	Right of access (30-day export), right to erasure (deletion workflow), right to portability (JSON/CSV), consent management with granular opt-in and easy withdrawal
`G3`	Privacy by Design	Data minimization enforced, Art. 13/14 privacy notice published in plain language, cookie consent banner compliant (no pre-ticked boxes), DPIA for high-risk processing (Art. 35)
`G4`	Breach & DPA	Breach detection active, 72-hour supervisory authority notification, Data Processing Agreements with all processors, transfer mechanisms for non-EU data flows (SCCs or adequacy decision)

Key requirements to know

G1.1 (Art. 30) — The ROPA must list every processing activity: what data, why, who has access, how long it's kept, where it's stored. Controllers with <250 employees may be exempt from some ROPA requirements, but documenting it is best practice regardless.
G1.3 — Every processing activity needs a documented legal basis. "We thought it was fine" is not a legal basis. Common bases: consent, performance of a contract, legal obligation, legitimate interests (requires balancing test).
G2.1 — Subject Access Requests must be fulfilled within 30 days. Build the export workflow before you have users, not after you receive your first SAR.
G3.3 — Cookie consent banners must have no pre-ticked boxes and must make declining as easy as accepting. "Reject all" must be one click.
G4.2 — Breach notification to the supervisory authority (e.g. ICO in the UK, CNIL in France) within 72 hours of becoming aware. You don't need to know the full scope — report what you know and update later.
G4.4 — Data leaving the EU to a non-adequate country (e.g. the US) requires a transfer mechanism. Standard Contractual Clauses (SCCs) are the most common; check the EU Commission's adequacy list for your destination country.

Interaction with other frameworks

GDPR overlaps with HIPAA (both cover breach notification and data subject rights), ISO 27001 (both require a DPIA-equivalent for high-risk processing), and PCI-DSS (both require data minimization and documented retention policies). If you're pursuing multiple certifications, map the overlapping controls first — work done for one often satisfies another.

Automation

CI/CD Integration

Publish progress automatically on every merge, deploy, or test run. The CLI works anywhere Node.js 18+ runs — GitHub Actions, GitLab CI, CircleCI, Jenkins, or any shell script.

GitHub Actions

Add a step at the end of your workflow to publish after every successful build or test run.

.github/workflows/publish-progress.yml

name: Publish progress

on:
  push:
    branches: [main]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "20"

      # Run your tests and capture output
      - name: Run tests
        run: npm test -- --json --outputFile=test-results.json

      # Publish checklist + test results to progress.report
      - name: Publish progress
        run: npx progress-report publish --bump
        env:
          # Store your API key in GitHub → Settings → Secrets
          PR_API_KEY: ${{ secrets.PROGRESS_REPORT_API_KEY }}

Store your API key as a GitHub Actions secret named PROGRESS_REPORT_API_KEY. The CLI reads it from the progress.config.json file — make sure that file is committed without the apiKey field, and inject the key via environment variable or a secrets manager at runtime.

GitLab CI

.gitlab-ci.yml

publish-progress:
  stage: deploy
  image: node:20-alpine
  script:
    - npx progress-report publish --bump
  only:
    - main

Direct API call (any environment)

If you can't install Node.js, publish directly with curl:

bash

curl -X POST https://api.progress.report/api/publish \
  -H "Authorization: Bearer $PR_API_KEY" \
  -H "Content-Type: application/json" \
  -d @publish-payload.json

Planned: Native GitHub App integration — no workflow file needed. Install the app, connect your repo, and progress publishes automatically on every push. See roadmap →

Concepts

URL Structure

Every progress page follows the same four-segment pattern, making URLs human-readable, brandable, and QR-code friendly.

https://view.progress.report/developer/project/view

https://view.progress.report/developer/project/view/artifact

Segment	Description	Example
`developer`	Your account or org slug	`acme`
`project`	Project or client engagement slug	`website-redesign`
`view`	The shareable client-facing context	`build`, `compliance`
`artifact`	Deep-link to a specific tab (optional)	`checklist`, `tests`, `soc2`

Slug rules

Each segment must be 1–64 characters: alphanumeric, hyphens, and underscores. Must start with a letter or digit. Slugs are case-sensitive.

✓ Valid slugs
acme  |  my-project  |  website_v2  |  QT-CRCF  |  build

✗ Invalid
-starts-with-dash  |  has spaces  |  has/slash

QR codes

A typical progress URL is 50–70 characters — well within the reliable range for printed QR codes. Use the 3-segment view URL for client-facing materials so the artifact tab structure can evolve without breaking existing codes.

Security

API keys

Format: pr_live_ prefix + 48 hex characters
Stored as SHA-256 hashes server-side — cannot be recovered, only rotated
Shown once at account creation — store in a password manager or secrets vault
Pass via Authorization: Bearer header or X-Api-Key header

What to keep out of version control

Add this to your project's .gitignore:

.gitignore

progress.config.json

Pass your test runner's JSON output directly to the CLI — npx progress-report publish --results=jest-results.json — and statuses update automatically without editing the spec file.

FAQ

Frequently asked questions

No. Clients receive a URL and visit it — no login, no invite, no app to install. The progress page is public and accessible to anyone with the link.

Not yet — custom domains are on the roadmap for Pro and Enterprise plans. Today all viewer pages are served from view.progress.report/{developer}/{project}/{view}. You can share the URL directly or embed the page in an iframe on your own site.

No publish rate limit on any plan. Each publish fully replaces the previous snapshot — it's not billed per operation. Publish after every commit if you like.

Keep a separate progress.config.json per client directory, then use --config to point at each one: npx progress-report publish --config ./clients/acme/progress.config.json. You can script multiple publishes in one CI step.

API keys are stored as SHA-256 hashes — we cannot recover them. You'll need to contact hello@progress.report to rotate your key. Store new keys in a password manager or secrets vault immediately.

The free plan supports up to 3 active clients. Upgrading to Pro ($29/month) gives you unlimited clients. If you're an agency and want to discuss volume pricing, contact us.

Yes. The compliance tab was built specifically for this. Track HIPAA, SOC 2, ISO 27001, PCI-DSS, and GDPR certifications alongside your build. Don't include PHI or PII in task names — progress pages are public URLs. For private compliance tracking, Enterprise plans with access controls are on the roadmap.

Marking a task "status": "you" means the client needs to take an action before work can continue. These items appear with an orange badge at the top of the viewer page — prominently, so clients can't miss them. Use it for approvals, access grants, content delivery, or payment milestones.

Not currently. The CLI is MIT-licensed and open-source on npm. The API and viewer are proprietary. We may open-source more components as the product matures. Self-hosted enterprise deployments are available on the Enterprise plan.

Support

Get help

We're a small team and we respond personally. If something is broken or unclear, reach out — we take it seriously.

Email support

Email hello@progress.report for any question: billing, API behavior, feature requests, or bugs. We aim to respond within one business day.

Bug reports

Found a reproducible bug? Include:

The exact command you ran (redact your API key)
The full error output or unexpected response
Your progress.config.json (redact apiKey)
Node.js version (node --version)
CLI version (npx progress-report --version)

Enterprise SLA

Enterprise customers receive a dedicated Slack channel and a 99.9% uptime SLA with 4-hour response time for P1 incidents. Contact us to discuss.

API status

Verify the API is reachable at any time:

bash

curl https://api.progress.report/api/health

json — response

{ "ok": true, "service": "progress.report", "version": "1.0.0" }