# Security, Risk & Governance

Authoritative sources for threat models, governance, compliance, and security operations.

## Policies & Governance
- [SECURITY_POLICY.md](../SECURITY_POLICY.md) - responsible disclosure, support windows.
- [GOVERNANCE.md](../GOVERNANCE.md) - project governance charter.
- [CODE_OF_CONDUCT.md](../CODE_OF_CONDUCT.md) - community expectations.
- [SECURITY_HARDENING_GUIDE.md](../SECURITY_HARDENING_GUIDE.md) - deployment hardening steps.
- [policy-governance.md](./policy-governance.md) - policy governance specifics.
- [LEGAL_FAQ_QUOTA.md](../LEGAL_FAQ_QUOTA.md) - legal interpretation of quota.
- [QUOTA_OVERVIEW.md](../QUOTA_OVERVIEW.md) - quota policy reference.
- [risk-profiles.md](../risk/risk-profiles.md) - organisational risk personas.

## Threat Models & Security Architecture
- [authority-threat-model.md](./authority-threat-model.md) - Authority service threat analysis.
- [authority-scopes.md](./authority-scopes.md) - scope model.
- [console-security.md](./console-security.md) - Console posture guidance.
- [pack-signing-and-rbac.md](./pack-signing-and-rbac.md) - pack signing, RBAC guardrails.
- [policy-governance.md](./policy-governance.md) - policy governance controls.
- [rate-limits.md](./rate-limits.md) - rate limiting behaviour.
- [password-hashing.md](./password-hashing.md) - credential storage.

## Audit, Revocation & Compliance
- [audit-events.md](./audit-events.md) - audit event taxonomy.
- [revocation-bundle.md](./revocation-bundle.md) & [revocation-bundle-example.json](./revocation-bundle-example.json) - revocation process.
- [license-jwt-quota.md](../license-jwt-quota.md) - licence/quota enforcement controls.
- [QUOTA_ENFORCEMENT_FLOW.md](../QUOTA_ENFORCEMENT_FLOW.md) - quota enforcement sequence.
- [OFFLINE_KIT.md](../OFFLINE_KIT.md) - tamper-evident offline artefacts.

## Supporting Material
- Module operations security notes: [authority/operations/key-rotation.md](../modules/authority/operations/key-rotation.md), [concelier/operations/authority-audit-runbook.md](../modules/concelier/operations/authority-audit-runbook.md), [zastava/README.md](../modules/zastava/README.md) (runtime enforcement).
- [observability/policy.md](../observability/policy.md) - security-relevant telemetry for policy.