Transparent. Technical. Verifiable.

MCSA takes FtaDSL text files (up to 10 MB) and computes fault trees and minimal cut-sets from them. The entire processing path runs in the server's RAM — at no point is your input persisted to disk.

1. 1. Your browser posts the upload over HTTPS to `mcsa.appliedfusa.de`.
2. 2. Nginx buffers the request in RAM (12 MB buffer, no disk spill).
3. 3. FastAPI writes the file into a temporary directory — which lives in a container tmpfs (RAM disk, 512 MB).
4. 4. The native C++17 binary `mcsa` parses and analyses the architecture.
5. 5. The result ZIP is built in-memory and streamed directly to your browser.
6. 6. The temp directory lives on tmpfs (RAM). After response completion, a `finally` block actively cleans it up in the regular case; on a hard container abort (e.g. OOM kill) the kernel discards the tmpfs contents at container end anyway — no disk spill possible.

Persistence

None. The audit database stores only metadata: your login email, the client IP, and a timestamp. Neither filenames nor contents nor analysis results ever leave RAM for disk.

Retention

IP + timestamp are automatically deleted from the database after at most 7 days (hourly cleanup job). The same window applies to expired magic-link tokens.

AI use

None. All computations run in the native C++ binary on our server. No external models, no LLM APIs, no third-party analysis.

A structured interview walks you through the core ISO 26262 requirements. The current Beta runs entirely in your browser — your input never leaves your device. The Markdown export is delivered directly as a file download. Interview is currently in German.

Today (Beta)

Vanilla HTML/CSS/JS wizard in the browser. No server requests, no storage, no cookies, no analytics. Closing the tab discards all state.

Data flow today

Your input stays in browser memory (RAM). The Markdown report is assembled client-side and downloaded as a Blob — it never reaches us.

AI use today

None. The Markdown structure is assembled deterministically from your input.

Planned (full version)

Native binary on our VPS, architecturally on the same pattern as MCSA. Persistable projects, multilingual exports, integration of MCSA analysis outputs (cut-sets, KPIs) as evidence references.

Structure (full version)

Follows Goal Structuring Notation (GSN). Template library per standard (ISO 26262, IEC 61508, IEC 62304).

Optional later

An optional text-polishing feature (e.g. style smoothing) could, in a later version, use an LLM service. If so, strictly opt-in per request — and never for safety-relevant argumentation.

csa26 is distributed as a GitHub Action and runs on your repository's own CI runner. Your source code never leaves your repository — the analysis happens in a container that GitHub launches in your account on every push. Applied FuSa has no access to your code, no telemetry on your findings, no logs of your builds.

Stack self-contained

Fully self-contained. csa26 wraps no third-party static analyser. The lexer, preprocessor, parser, symbol/type system and rule engine are Apache-2.0 IP of Applied FuSa and fully traceable in the public repository.

Sub-processors

GitHub (Microsoft) — provides the CI runner and container registry hosting for the csa26 action image. Data processing under the terms of your GitHub contract. No further sub-processors.

Data storage

Applied FuSa stores no data about csa26 runs. All data generated (findings, SARIF reports, annotations) stays entirely in your GitHub repository under your control.

Pre-audit notice

csa26 is a pre-audit tool and does not replace formal compliance assessment against MISRA-C:2012. It points out possible rule violations; formal compliance certification remains the responsibility of your safety manager.

Rule subset

csa26 v1 covers a deliberately curated subset of 20 FuSa-prioritised MISRA-C:2012 rules (see README in the repository). Full MISRA-compliance verification was never claimed and is out of reach for any tool of this class.

AI use

None. Lexer, parser and rule engine work deterministically.

The riskforge chatbot is the first platform pillar that uses an LLM. A Claude Sonnet 4.6 model runs a structured interview that builds up an FtaDSL file step by step (raw architecture → +OIM/TLE → +IOM/S/O/D). Important separation: the LLM is the interview leader and notation translator — the actual FTA/FMEA analysis substance is then computed by the deterministic engines mcsa and fmea. This separation is an architecture decision for audit-fitness.

Sent to Anthropic

Full system prompt (~1500 tokens of methodology context, FtaDSL syntax reference, phase workflow); the complete running conversation history (all user and bot messages); the current DSL state as a code block in bot answers; validator output from mcsa --dump-arch as a tag ([VALIDATOR-OK] or [VALIDATOR-ERROR: …]) in the following user turn.

Not sent to Anthropic

User email address, IP address, cookie values, quota counters, logout events. Anthropic only sees the anonymous conversation stream.

Sub-processors (Art. 28 GDPR)

Anthropic PBC (USA) — LLM provider, processing under DPA · Hetzner Online GmbH (Falkenstein, Germany) — VPS hosting for the chatbot stack · Resend (USA) — magic-link mail delivery, DPA · Let's Encrypt / ISRG — TLS certificates. DPAs are countersigned before beta opening; for existing sub-processors (Hetzner), DPAs are already in place.

Third-country transfer (Chapter V GDPR)

Anthropic (USA) and Resend (USA) process data outside the EU. Legal basis: EU Standard Contractual Clauses under Art. 46(2)(c) GDPR (2021/914). We conduct a Transfer Impact Assessment (TIA) per EDPB Recommendation 01/2020 and add safeguards: TLS encryption in transit, no persistence of architecture data at Anthropic beyond the abuse-log window, Anthropic training opt-out by default.

Inference region (beta)

API routing uses inference_geo: "global". Anthropic typically routes to us-east-1, us-west-2, or eu-west (Ireland). No guaranteed EU region during beta. Migration to AWS Bedrock eu-central-1 (Frankfurt) is planned for the commercial launch (phase 3); the chatbot backend's provider abstraction is prepared for it.

Data retention at Anthropic

Anthropic stores API inputs/outputs for up to 30 days for abuse monitoring by default (see Anthropic retention policy). Model training on user data is disabled on our Anthropic account (opt-out by default).

Data retention at Applied FuSa

Email addresses are persisted with date, login history and an optional use-case note in a SQLite database (beta marketing list, deletion on request). The conversation history stays in browser state; the chatbot server is stateless. Magic-link tokens expire after 15 minutes. The generated DSL can be downloaded by the user as .txt — the server does not store it.

Model and caching

Default model is Claude Sonnet 4.6, switchable via configuration. Prompt caching is enabled for the system prompt and methodology context — reduces API cost and latency from the second turn of every conversation.

AI use and audit separation

The LLM only produces the DSL file (notation translation). The FTA computation (mcsa) and the FMEA derivation (fmea) are deterministic, audit-fit engines without LLM. Whoever wants to verify the methodology verifies the engines, not the model.

Status

Live since May 2026 (Phase-2 beta). Quota limits active, full-access allowlist for listed email addresses. Observation phase running.