# Security, Risk & Governance

Authoritative sources for threat models, governance, compliance, and security operations.

## Policies & Governance
- [../13_SECURITY_POLICY.md](../../13_SECURITY_POLICY.md) – responsible disclosure, support windows.
- [../11_GOVERNANCE.md](../../11_GOVERNANCE.md) – project governance charter.
- [../12_CODE_OF_CONDUCT.md](../../12_CODE_OF_CONDUCT.md) – community expectations.
- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance specifics.
- [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – quota policy reference.
- [../risk/risk-profiles.md](../../risk/risk-profiles.md) – organisational risk personas.

## Threat Models & Security Architecture
- [../security/authority-threat-model.md](../../security/authority-threat-model.md) – Authority service threat analysis.
- [../security/authority-scopes.md](../../security/authority-scopes.md) – scope model.
- [../security/console-security.md](../../security/console-security.md) – Console posture guidance.
- [../security/pack-signing-and-rbac.md](../../security/pack-signing-and-rbac.md) – pack signing, RBAC guardrails.
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance controls.
- [../security/rate-limits.md](../../security/rate-limits.md) – rate limiting behaviour.
- [../security/password-hashing.md](../../security/password-hashing.md) – credential storage.

## Audit, Revocation & Compliance
- [../security/audit-events.md](../../security/audit-events.md) – audit event taxonomy.
- [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation process.
- [../license-jwt-quota.md](../../license-jwt-quota.md) – licence/quota enforcement controls.
- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – quota enforcement sequence.
- [../10_OFFLINE_KIT.md](../../10_OFFLINE_KIT.md) & [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – tamper-evident offline artefacts.
- [../security/](../../security/) – browse for additional deep dives (audit, scopes, rate limits).

## Supporting Material
- Module operations security notes: [../../modules/authority/operations/key-rotation.md](../../modules/authority/operations/key-rotation.md), [../../modules/concelier/operations/authority-audit-runbook.md](../../modules/concelier/operations/authority-audit-runbook.md), [../../modules/zastava/README.md](../../modules/zastava/README.md) (runtime enforcement).
- [../observability/policy.md](../../observability/policy.md) – security-relevant telemetry for policy.
- [../updates/2025-10-27-console-security-signoff.md](../../updates/2025-10-27-console-security-signoff.md) & [../updates/2025-10-31-console-security-refresh.md](../../updates/2025-10-31-console-security-refresh.md) – recent security sign-offs.