# Console Security Checklist Sign-off — 2025-10-27 ## Summary - Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build. - No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required. - Result: **PASS** – console may progress with Sprint 23 release gating. ## Authority client validation - Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`. - Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`. ## CSP enforcement - Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present. - Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared. ## Fresh-auth timer - Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle. - Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs. ## DPoP binding test - Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`. - Confirmed logs contain `ui.security.anomaly` event with matching `traceId`. ## Offline mode exercise - Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages. - Imported Offline Kit manifest; parity checks report `OK` status. ## Evidence parity - Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run `; SHA-256 digests match. - Verified Downloads workspace never caches bundle contents (only manifest metadata stored). ## Monitoring & alerts - Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures. - PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps. ## Sign-off - Reviewed by **Security Guild** (lead: `@sec-lfox`). - Sign-off recorded in Sprint 23 tracker (`../implplan/SPRINTS.md`, `DOCS-CONSOLE-23-018`).