up

docs/17_SECURITY_HARDENING_GUIDE.md

@@ -159,6 +159,7 @@ cosign verify ghcr.io/stellaops/backend@sha256:<DIGEST> \
   showing whether a network bypass CIDR allowed the request. Configure your SIEM
   to alert when unauthenticated requests (`status=401`) appear with
   `bypass=true`, or when unexpected scopes invoke job triggers.
+  Detailed monitoring and response guidance lives in `docs/ops/feedser-authority-audit-runbook.md`.
 
 ##  8 Update & patch strategy