5590a99a1a
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism. - Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions. - Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests. - Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
36 lines
3.0 KiB
Markdown
36 lines
3.0 KiB
Markdown
# Security, Risk & Governance
|
||
|
||
Authoritative sources for threat models, governance, compliance, and security operations.
|
||
|
||
## Policies & Governance
|
||
- [../13_SECURITY_POLICY.md](../../13_SECURITY_POLICY.md) – responsible disclosure, support windows.
|
||
- [../11_GOVERNANCE.md](../../11_GOVERNANCE.md) – project governance charter.
|
||
- [../12_CODE_OF_CONDUCT.md](../../12_CODE_OF_CONDUCT.md) – community expectations.
|
||
- [../17_SECURITY_HARDENING_GUIDE.md](../../17_SECURITY_HARDENING_GUIDE.md) – deployment hardening steps.
|
||
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance specifics.
|
||
- [../29_LEGAL_FAQ_QUOTA.md](../../29_LEGAL_FAQ_QUOTA.md) – legal interpretation of quota.
|
||
- [../33_333_QUOTA_OVERVIEW.md](../../33_333_QUOTA_OVERVIEW.md) – quota policy reference.
|
||
- [../risk/risk-profiles.md](../../risk/risk-profiles.md) – organisational risk personas.
|
||
|
||
## Threat Models & Security Architecture
|
||
- [../security/authority-threat-model.md](../../security/authority-threat-model.md) – Authority service threat analysis.
|
||
- [../security/authority-scopes.md](../../security/authority-scopes.md) – scope model.
|
||
- [../security/console-security.md](../../security/console-security.md) – Console posture guidance.
|
||
- [../security/pack-signing-and-rbac.md](../../security/pack-signing-and-rbac.md) – pack signing, RBAC guardrails.
|
||
- [../security/policy-governance.md](../../security/policy-governance.md) – policy governance controls.
|
||
- [../security/rate-limits.md](../../security/rate-limits.md) – rate limiting behaviour.
|
||
- [../security/password-hashing.md](../../security/password-hashing.md) – credential storage.
|
||
|
||
## Audit, Revocation & Compliance
|
||
- [../security/audit-events.md](../../security/audit-events.md) – audit event taxonomy.
|
||
- [../security/revocation-bundle.md](../../security/revocation-bundle.md) & [../security/revocation-bundle-example.json](../../security/revocation-bundle-example.json) – revocation process.
|
||
- [../license-jwt-quota.md](../../license-jwt-quota.md) – licence/quota enforcement controls.
|
||
- [../30_QUOTA_ENFORCEMENT_FLOW1.md](../../30_QUOTA_ENFORCEMENT_FLOW1.md) – quota enforcement sequence.
|
||
- [../24_OFFLINE_KIT.md](../../24_OFFLINE_KIT.md) – tamper-evident offline artefacts.
|
||
- [../security/](../../security/) – browse for additional deep dives (audit, scopes, rate limits).
|
||
|
||
## Supporting Material
|
||
- Module operations security notes: [../../modules/authority/operations/key-rotation.md](../../modules/authority/operations/key-rotation.md), [../../modules/concelier/operations/authority-audit-runbook.md](../../modules/concelier/operations/authority-audit-runbook.md), [../../modules/zastava/README.md](../../modules/zastava/README.md) (runtime enforcement).
|
||
- [../observability/policy.md](../../observability/policy.md) – security-relevant telemetry for policy.
|
||
- [../updates/2025-10-27-console-security-signoff.md](../../updates/2025-10-27-console-security-signoff.md) & [../updates/2025-10-31-console-security-refresh.md](../../updates/2025-10-31-console-security-refresh.md) – recent security sign-offs.
|