# Console security posture

Identity and token flow
- OAuth 2.1 authorization code with PKCE.
- DPoP-bound access tokens with short TTL; refresh tokens rotate when enabled.
- DPoP keypair stored as non-exportable WebCrypto key (IndexedDB) and never in localStorage.
- All API calls include Authorization and DPoP proof headers; gateway enforces tenant header.

Fresh-auth gating
- Sensitive operations require a fresh-auth window (default five minutes).
- UI disables guarded actions when the window expires.
- Authority emits audit events for fresh-auth start, success, and expiry.

Session handling
- Tokens remain in memory; metadata stored in sessionStorage only.
- Idle timeout defaults to 15 minutes; failed refresh requires re-auth.
- Device binding through DPoP prevents token replay across devices.

Scopes and separation of duties
- ui.admin is required for admin workspace access.
- Policy approvals and promotions require policy:approve or policy:operate plus fresh-auth.
- Do not combine ui.admin and policy:approve for the same human role without SOC review.

Transport and browser hardening
- TLS 1.2+ with HSTS and strict forward headers.
- CSP defaults to self-only with explicit connect-src allowlists.
- Enable COOP and COEP when WASM-based previews are required.
- Deny framing and disable cache for JSON API responses.

Evidence and data handling
- Console surfaces digests and signatures but does not cache evidence bundles.
- Downloads require CLI parity; the UI only brokers metadata.
- Logs redact tokens, emails, and attachment paths.

Offline posture
- Offline mode uses pre-issued tokens and shows staleness banners.
- Fresh-auth prompts are replaced with CLI guidance in sealed mode.
- Unsigned offline assets block startup until verified.

Monitoring expectations
- Track DPoP failures, tenant mismatches, and fresh-auth prompts.
- Correlate UI logs with Authority audit events using shared correlation IDs.

Related references
- docs/security/console-security.md
- docs/architecture/console-admin-rbac.md