binary-punksAndreas Kaiser Systemmanufaktur

Standards

We hold this site to the standard we hold yours to. The build fails if it slips.

Every promise on this page is a gate in our pipeline, not a sticker. We won't ship a regression — and we won't show you a score we haven't earned.

The bar

Targets, enforced — not trophies on a shelf.

These are the thresholds every build clears before it ships, this site included. We deliberately don't paint them green: a number only counts when it's measured live, on the real domain.

No fake green.
We render these as targets, not achievements. When CI is wired to the live domain (Phase 6), each links to its third-party report — and only then does it earn a checkmark. Honesty is the point.
100
Performance
Lighthouse
target
100
Accessibility
Lighthouse
target
100
Best Practices
Lighthouse
target
100
SEO
Lighthouse
target
A+
TLS
SSL Labs
target
A+
Headers
securityheaders.com
target
AA
WCAG 2.2
accessibility
target
Good
Core Web Vitals
field & lab
target

The same bar applies to your work. Every project we ship inherits this pipeline — your build fails on the same gates ours does.

Halftone dot field in ink and flame, dots scaled by a radial noise function.Halftone dot field in ink and flame, dots scaled by a radial noise function.

Posture

Privacy and security by construction.

Not a setting you switch on — the absence of the machinery that would compromise it.

Privacy & data

  • Self-host everything — fonts, icons, assets, scripts. Visitors never talk to a third party.
  • No cookies, no tracking — nothing to consent to, so no banner.
  • EU infrastructure, data minimised, logs anonymised and short-lived.
  • Privacy-first stats only — cookieless, no personal data — and only if asked.

Security

  • HTTPS-only, HSTS, strict CSP (default-src 'self'), modern headers.
  • Least-privilege access; dependencies audited and kept current.
  • Backups with tested restores — a backup we've never restored isn't a backup.
  • Coordinated disclosure via a published security.txt (upcoming) — found something? Email us.

Accessibility statement

We aim for WCAG 2.2 AA.

We want everyone to be able to use what we build. Accessibility here is a voluntary aim we hold ourselves to: this site targets WCAG 2.2 Level AA conformance, treated as a build requirement — not a finishing pass. The same standard applies to the software we deliver for clients. It's an aim, not a certification — we don't claim to have cleared every check on every page.

What we test

  • Colour contrast — text and UI meet AA ratios in both light and dark themes (see the design system's contrast work).
  • Full keyboard operability, visible focus states, and logical focus order.
  • Semantic HTML and ARIA where needed; screen-reader passes on primary flows.
  • Respect for prefers-reduced-motion and prefers-color-scheme.
  • Target sizes and spacing that meet AA pointer guidance.

Known limits & feedback

No site is ever perfectly done. If you hit a barrier — anything that's hard to read, navigate or operate — tell us and we'll fix it. Email disko@binary-punks.com with the page and what got in your way; we aim to respond within a few working days.

The details

The files most sites never bother with.

Standards live in the corners. Here's the plumbing we're shipping with the production build — the kind of thing only people who care set up.

>_ curl binary-punks.com/.well-known/
/security.txthow to report a vulnerability — contact, policy, key
/llms.txtwhat AI agents may read & how to cite us
/humans.txtthe people behind it — no robots-only here
/sitemap.xmlcomplete, current, auto-generated
/robots.txthonest crawl rules, no dark corners
/.well-known/dnt-policyDo-Not-Track honoured, stated plainly
DNSSEC + CAAsigned DNS; who may issue our certs, pinned
MTA-STS + TLS-RPTenforced, reported transport security for mail

Upcoming. These ship with the production build (Phase 6) — they're not live yet. We list them here so you can hold us to shipping them; the details are where "attention to detail" stops being a slogan.

Scope honesty

What we don't do.

Knowing the edges of the workshop is part of trusting it. We'd rather say so than oversell.

We don't self-host AI models

Our AI is privacy-first by selection and deployment — chosen so your data isn't trained on or sold. We don't run our own models, and don't pretend to.

We don't add tracking

Not even the "friendly" kind — unless you explicitly ask for cookieless, privacy-first stats. The default is none.

We don't do dark patterns

No nag walls, no fake urgency, no roach-motel cancellations. If a tactic relies on tricking the user, it's out.

We don't ship black boxes

You get the source, the infra-as-code and the runbook. Nothing about your system is hostage to us.

Open commitments

What we're still improving.

A standard you can't see us working on is just marketing. Here's the live list.

Done
Self-host the brand fonts

The production build serves JetBrains Mono & Hanken Grotesk first-party via @nuxt/fonts — no font CDN — and the CI origin gate fails the build if any external origin slips in.

Planned
Wire the targets to live CI

Lighthouse, SSL Labs and header checks run on every commit against the live domain — turning the targets above from honest placeholders into linked, earned results.

Planned
Publish security.txt & llms.txt

Ship the well-known files listed above, with a real disclosure contact and signing key.

Done
AA contrast across light & dark

The token system is calibrated so primary text and UI meet AA in both themes — tested in the design system.

Hold us to it.

Want your project built to this bar — gates and all? That's the only way we know how.

disko@binary-punks.com