stella-ops.org/git.stella-ops.org

Files

root 68da90a11a

Docs CI / lint-and-preview (push) Has been cancelled

Details

Restructure solution layout by module

2025-10-28 15:10:40 +02:00

2.5 KiB

Raw Blame History

Console Security Checklist Sign-off — 2025-10-27

Summary

Security Guild completed the console security compliance checklist from docs/security/console-security.md against the Sprint 23 build.
No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
Result: PASS – console may progress with Sprint 23 release gating.

Authority client validation

Ran stella authority clients show console-ui in staging; confirmed pkce.enforced=true, dpop.required=true, and claim.requireTenant=true.
Verified scope bundle matches §3 (baseline ui.read, admin set, and per-feature scopes). Results archived under ops/evidence/console-ui-client-2025-10-27.json.

CSP enforcement

Inspected rendered response headers via curl -I https://console.stg.stellaops.local/ – CSP matches §4 defaults (default-src 'self', connect-src 'self' https://*.internal), HSTS + Referrer-Policy present.
Helm overrides reviewed (deploy/helm/stellaops/values-prod.yaml); no extra origins declared.

Fresh-auth timer

Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5 minutes idle.
Authority audit feed shows authority.fresh_auth.success and authority.policy.promote entries sharing correlation IDs.

DPoP binding test

Replayed captured bearer token without DPoP proof; Gateway returned 401 and incremented ui_dpop_failure_total.
Confirmed logs contain ui.security.anomaly event with matching traceId.

Offline mode exercise

Deployed console with console.offlineMode=true; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
Imported Offline Kit manifest; parity checks report OK status.

Evidence parity

Downloaded run evidence bundle via UI, re-exported via CLI stella runs export --run <id>; SHA-256 digests match.
Verified Downloads workspace never caches bundle contents (only manifest metadata stored).

Monitoring & alerts

Grafana board console-security.json linked to alerts: ui_request_duration_seconds burn-rate, DPoP failure count, downloads manifest verification failures.
PagerDuty playbook references docs/security/console-security.md §6 for incident steps.

Sign-off

Reviewed by Security Guild (lead: @sec-lfox).
Sign-off recorded in Sprint 23 tracker (../implplan/SPRINTS.md, DOCS-CONSOLE-23-018).