stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
8da4e12a90fd82f6b2ec870bb73e0499b4ff6343
git.stella-ops.org/docs/updates/2025-10-27-console-security-signoff.md
master d870da18ce Restructure solution layout by module
2025-10-28 15:10:40 +02:00

2.5 KiB
Raw Blame History

Console Security Checklist Sign-off — 2025-10-27

Summary

  • Security Guild completed the console security compliance checklist from docs/security/console-security.md against the Sprint23 build.
  • No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
  • Result: PASS console may progress with Sprint23 release gating.

Authority client validation

  • Ran stella authority clients show console-ui in staging; confirmed pkce.enforced=true, dpop.required=true, and claim.requireTenant=true.
  • Verified scope bundle matches §3 (baseline ui.read, admin set, and per-feature scopes). Results archived under ops/evidence/console-ui-client-2025-10-27.json.

CSP enforcement

  • Inspected rendered response headers via curl -I https://console.stg.stellaops.local/ CSP matches §4 defaults (default-src 'self', connect-src 'self' https://*.internal), HSTS + Referrer-Policy present.
  • Helm overrides reviewed (deploy/helm/stellaops/values-prod.yaml); no extra origins declared.

Fresh-auth timer

  • Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
  • Authority audit feed shows authority.fresh_auth.success and authority.policy.promote entries sharing correlation IDs.

DPoP binding test

  • Replayed captured bearer token without DPoP proof; Gateway returned 401 and incremented ui_dpop_failure_total.
  • Confirmed logs contain ui.security.anomaly event with matching traceId.

Offline mode exercise

  • Deployed console with console.offlineMode=true; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
  • Imported Offline Kit manifest; parity checks report OK status.

Evidence parity

  • Downloaded run evidence bundle via UI, re-exported via CLI stella runs export --run <id>; SHA-256 digests match.
  • Verified Downloads workspace never caches bundle contents (only manifest metadata stored).

Monitoring & alerts

  • Grafana board console-security.json linked to alerts: ui_request_duration_seconds burn-rate, DPoP failure count, downloads manifest verification failures.
  • PagerDuty playbook references docs/security/console-security.md §6 for incident steps.

Sign-off

  • Reviewed by Security Guild (lead: @sec-lfox).
  • Sign-off recorded in Sprint23 tracker (../implplan/SPRINTS.md, DOCS-CONSOLE-23-018).