Restructure solution layout by module
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
This commit is contained in:
root
@@ -1,48 +1,48 @@
|
||||
# Console Security Checklist Sign-off — 2025-10-27
|
||||
|
||||
## Summary
|
||||
|
||||
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
|
||||
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
|
||||
- Result: **PASS** – console may progress with Sprint 23 release gating.
|
||||
|
||||
## Authority client validation
|
||||
|
||||
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
|
||||
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
|
||||
|
||||
## CSP enforcement
|
||||
|
||||
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
|
||||
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
|
||||
|
||||
## Fresh-auth timer
|
||||
|
||||
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
|
||||
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
|
||||
|
||||
## DPoP binding test
|
||||
|
||||
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
|
||||
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
|
||||
|
||||
## Offline mode exercise
|
||||
|
||||
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
|
||||
- Imported Offline Kit manifest; parity checks report `OK` status.
|
||||
|
||||
## Evidence parity
|
||||
|
||||
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
|
||||
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
|
||||
|
||||
## Monitoring & alerts
|
||||
|
||||
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
|
||||
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
|
||||
|
||||
## Sign-off
|
||||
|
||||
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
|
||||
- Sign-off recorded in Sprint 23 tracker (`SPRINTS.md`, `DOCS-CONSOLE-23-018`).
|
||||
|
||||
# Console Security Checklist Sign-off — 2025-10-27
|
||||
|
||||
## Summary
|
||||
|
||||
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
|
||||
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
|
||||
- Result: **PASS** – console may progress with Sprint 23 release gating.
|
||||
|
||||
## Authority client validation
|
||||
|
||||
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
|
||||
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
|
||||
|
||||
## CSP enforcement
|
||||
|
||||
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
|
||||
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
|
||||
|
||||
## Fresh-auth timer
|
||||
|
||||
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
|
||||
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
|
||||
|
||||
## DPoP binding test
|
||||
|
||||
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
|
||||
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
|
||||
|
||||
## Offline mode exercise
|
||||
|
||||
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
|
||||
- Imported Offline Kit manifest; parity checks report `OK` status.
|
||||
|
||||
## Evidence parity
|
||||
|
||||
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
|
||||
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
|
||||
|
||||
## Monitoring & alerts
|
||||
|
||||
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
|
||||
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
|
||||
|
||||
## Sign-off
|
||||
|
||||
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
|
||||
- Sign-off recorded in Sprint 23 tracker (`../implplan/SPRINTS.md`, `DOCS-CONSOLE-23-018`).
|
||||
|
||||
|
||||
Reference in New Issue
Block a user