7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
49 lines
2.5 KiB
Markdown
49 lines
2.5 KiB
Markdown
# Console Security Checklist Sign-off — 2025-10-27
|
||
|
||
## Summary
|
||
|
||
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint 23 build.
|
||
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
|
||
- Result: **PASS** – console may progress with Sprint 23 release gating.
|
||
|
||
## Authority client validation
|
||
|
||
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
|
||
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
|
||
|
||
## CSP enforcement
|
||
|
||
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` – CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
|
||
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
|
||
|
||
## Fresh-auth timer
|
||
|
||
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
|
||
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
|
||
|
||
## DPoP binding test
|
||
|
||
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
|
||
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
|
||
|
||
## Offline mode exercise
|
||
|
||
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
|
||
- Imported Offline Kit manifest; parity checks report `OK` status.
|
||
|
||
## Evidence parity
|
||
|
||
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
|
||
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
|
||
|
||
## Monitoring & alerts
|
||
|
||
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
|
||
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
|
||
|
||
## Sign-off
|
||
|
||
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
|
||
- Sign-off recorded in Sprint 23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
|
||
|