7b01c7d6ac
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
- Introduced a blueprint for explainable quiet alerts, detailing phases for SBOM, VEX readiness, and attestations. - Developed a roadmap for deterministic diff-aware rescans, enhancing scanner speed and efficiency. - Implemented a hash-based SBOM layer cache to optimize container scans by reusing previous results. - Created a multi-runtime reachability corpus to validate function-level reachability across various programming languages. - Proposed a stable SBOM model using SPDX 3.0.1 for persistence and CycloneDX 1.6 for interchange. - Established a validation plan for quiet scans, focusing on provenance and CI integration. - Documented guidelines for the Findings Ledger module, outlining roles, execution rules, and testing protocols.
957 B
957 B
2025-10-31 — Console Security Docs Refresh
Summary
- Documented the new Authority
/consoleendpoints (/tenants,/profile,/token/introspect) including tenant header enforcement, DPoP requirements, and five-minute fresh-auth behaviour. - Reduced the default Authority access-token lifetime to 120 seconds to match OpTok guidance and updated tests accordingly.
- Updated Console security guidance to cover the newly issued
orch:readscope and clarified session inactivity expectations. - Annotated
authority.yaml.sampleand the Authority ops runbook so operators forwardX-Stella-Tenantand understand fresh-auth prompts.
Impact
- Console release notes now reference the dedicated
/consoleendpoints and their audit identifiers. - Security Guild can rely on the updated compliance checklist when executing Sprint 23 sign-off.
- Deployment teams have explicit configuration reminders for tenants and orchestrator dashboard access.