stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

docs consolidation

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-24 21:45:46 +02:00
parent 4231305fec
commit 43e2af88f6
76 changed files with 2887 additions and 796 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/security/notifications-hardening.md
View File

@@ -9,7 +9,7 @@ Last updated: 2025-11-25 (Docs Tasks Md.V · DOCS-NOTIFY-40-001)
- Flooding / notification storms.
## Controls
- **Tenant isolation**: every rule/channel/template includes `tenant`; APIs enforce `X-Stella-Tenant`. Mongo collections are filtered by tenant with indexes on `(tenant, id)`.
- **Tenant isolation**: every rule/channel/template includes `tenant`; APIs enforce `X-Stella-Tenant`. PostgreSQL tables are filtered by tenant with indexes on `(tenant_id, id)` and row-level security.
- **Secrets**: channels reference Authority `secretRef`; secrets never stored in Notify DB. Rotate via Authority and `:refresh-secret`.
- **Outbound allowlist**: restrict hosts/ports per tenant; defaults block public internet in air-gapped kits.
- **Signing**: webhook deliveries include `X-Stella-Signature` HMAC-SHA256 over body+nonce; receivers must reject stale timestamps (>5m) and verify signature.
@@ -22,7 +22,7 @@ Last updated: 2025-11-25 (Docs Tasks Md.V · DOCS-NOTIFY-40-001)
## Deployment checklist
- [ ] Authority scopes `notify.viewer|operator|admin` configured; service accounts least-privilege.
- [ ] HTTPS everywhere; TLS 1.2+; HSTS on WebService front-door.
- [ ] Redis protected by auth and network policy; Mongo TLS + auth enabled.
- [ ] Valkey protected by auth and network policy; PostgreSQL TLS + auth enabled.
- [ ] Outbound allowlists defined per environment; no wildcard `*`.
- [ ] Webhook receivers validate signatures and enforce host/IP allowlists.