# Security, Risk & Governance

Authoritative sources for threat models, governance, compliance, and security operations.

## Policies & Governance
- [../SECURITY_POLICY.md](../../SECURITY_POLICY.md) – responsible disclosure, support windows.
- [../GOVERNANCE.md](../../GOVERNANCE.md) – project governance charter.
- [../CODE_OF_CONDUCT.md](../../CODE_OF_CONDUCT.md) – community expectations.
- [../SECURITY_HARDENING_GUIDE.md](../../SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance specifics.
- [../LEGAL_FAQ_QUOTA.md](../../LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
- [../QUOTA_OVERVIEW.md](../../QUOTA_OVERVIEW.md) – quota policy reference.
- [../risk/risk-profiles.md](../../risk/risk-profiles.md) – organisational risk personas.

## Threat Models & Security Architecture
- [../security/authority-threat-model.md](../../security/authority-threat-model.md) – Authority service threat analysis.
- [../security/authority-scopes.md](../../security/authority-scopes.md) – scope model.
- [../security/console-security.md](../../security/console-security.md) – Console posture guidance.
- [../security/pack-signing-and-rbac.md](../../security/pack-signing-and-rbac.md) – pack signing, RBAC guardrails.
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance controls.
- [../security/rate-limits.md](../../security/rate-limits.md) – rate limiting behaviour.
- [../security/password-hashing.md](../../security/password-hashing.md) – credential storage.

## Audit, Revocation & Compliance
- [../security/audit-events.md](../../security/audit-events.md) – audit event taxonomy.
- [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation process.
- [../license-jwt-quota.md](../../license-jwt-quota.md) – licence/quota enforcement controls.
- [../QUOTA_ENFORCEMENT_FLOW.md](../../QUOTA_ENFORCEMENT_FLOW.md) – quota enforcement sequence.
- [../OFFLINE_KIT.md](../../OFFLINE_KIT.md) – tamper-evident offline artefacts.
- [../security/](../../security/) – browse for additional deep dives (audit, scopes, rate limits).

## Supporting Material
- Module operations security notes: [../../modules/authority/operations/key-rotation.md](../../modules/authority/operations/key-rotation.md), [../../modules/concelier/operations/authority-audit-runbook.md](../../modules/concelier/operations/authority-audit-runbook.md), [../../modules/zastava/README.md](../../modules/zastava/README.md) (runtime enforcement).
- [../observability/policy.md](../../observability/policy.md) – security-relevant telemetry for policy.
- [../implplan/archived/updates/2025-10-27-console-security-signoff.md](../../implplan/archived/updates/2025-10-27-console-security-signoff.md) & [../implplan/archived/updates/2025-10-31-console-security-refresh.md](../../implplan/archived/updates/2025-10-31-console-security-refresh.md) – recent security sign-offs.