Features

Everything you need. Nothing you don't.

A focused toolkit for small teams that need dependable timekeeping without the bloat of enterprise software.

Independent timekeeping

Server-authoritative timers, breaks, revisions, and approvals continue working through every PA outage. Your time data never stops being captured.

Reliable synchronization

Durable queues, idempotency keys, signed webhooks, reconciliation, and visible conflicts protect every integration event when you connect Project Alpha.

Financially controlled

Administrator approval freezes duration, rate, amount, currency, and revision before records leave AlphaLedger. No silent changes to financial data.

Layered security

TOTP for admins, AES-256-GCM for credentials, CSRF on every mutation, rate-limited login, session rotation, and HMAC-SHA256 webhooks.

$

Employee pay

Pay rate hierarchy, billable and non-billable tracking, and is_payable decoupled from billable so non-billable time can still be employee pay.

Reports and exports

PDF and CSV exports, dashboard charts rendered from your own data. No third-party analytics or charting service. Your data stays yours.

Security

Layered controls by default

A PA outage, duplicate event, employee account, or database-only disclosure cannot silently alter financial records.

Session security

SHA-256 hashed session tokens in MySQL. Rotation at login and TOTP enrollment. 15-minute idle timeout, 8-hour absolute (7-day remember-me). HttpOnly, SameSite=Strict, Secure cookies.

Admin TOTP required

Administrators must enroll TOTP. Integration enablement requires password plus TOTP reauthentication. Recovery key shown once, stored outside the host.

AES-256-GCM encryption

PA credentials encrypted with a 256-bit key generated atomically in the data volume. Key never stored in MySQL or committed. Recovery key for volume loss.

HMAC-SHA256 webhooks

Signed webhooks with 5-minute replay window. Durable storage and event-ID deduplication. Incoming events stored before processing.

CSRF and rate limiting

Symfony CSRF tokens on every browser mutation. Login attempts rate-limited by hashed IP and email bucket. Role and ownership checks on every operation.

$

Hardened deployment

Security headers deny framing, MIME sniffing, unneeded capabilities. HSTS with subdomains. Containers run as unprivileged www-data user.

Project Alpha integration

Standalone now. Connected later.

AlphaLedger works perfectly on its own. When you're ready, connect Project Alpha for billing, invoicing, and client management.

Phase 1: Standalone

Run AlphaLedger independently for time tracking, approvals, and employee pay. No PA required.

  • Clock in / out / breaks
  • Admin review and approval
  • Pay calculation and freezing
  • PDF and CSV reports
  • Employee and project management

Phase 2: Connect PA

When ready, supply PA URL and token, reauthenticate with TOTP, and map projects and employees. AL backfills history and syncs going forward.

  • Durable transactional outbox
  • Project and employee mapping
  • Idempotent event delivery
  • Reconciliation every 6 hours
  • Operational ledger mirroring

Ownership boundaries

AL owns time, breaks, pay rates, approvals. PA owns clients, billing, invoices, payment status. Neither silently overwrites the other.

Visible conflicts

Foreign-owned conflicts are recorded with timestamps. No silent winner selection. Admin resolves explicitly.

Graceful degradation

When PA is unreachable, AL queues pushes, uses cached data, and never blocks clock in / out. Timekeeping always works.

Next steps

See how to deploy AlphaLedger

Self-hosted, source-available, and ready for your infrastructure.

Availability → Read the docs