stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 16 Releases Wiki Activity
Files
90c244948a7427037e3bdb541fc6b0a27520d37f
git.stella-ops.org/docs/updates/2025-10-27-console-security-signoff.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

2.6 KiB
Raw Blame History

Console Security Checklist Sign-off — 2025-10-27

Summary

  • Security Guild completed the console security compliance checklist from docs/security/console-security.md against the Sprint23 build.
  • No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
  • Result: PASS console may progress with Sprint23 release gating.

Authority client validation

  • Ran stella authority clients show console-ui in staging; confirmed pkce.enforced=true, dpop.required=true, and claim.requireTenant=true.
  • Verified scope bundle matches §3 (baseline ui.read, admin set, and per-feature scopes). Results archived under ops/evidence/console-ui-client-2025-10-27.json.

CSP enforcement

  • Inspected rendered response headers via curl -I https://console.stg.stellaops.local/ CSP matches §4 defaults (default-src 'self', connect-src 'self' https://*.internal), HSTS + Referrer-Policy present.
  • Helm overrides reviewed (deploy/helm/stellaops/values-prod.yaml); no extra origins declared.

Fresh-auth timer

  • Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
  • Authority audit feed shows authority.fresh_auth.success and authority.policy.promote entries sharing correlation IDs.

DPoP binding test

  • Replayed captured bearer token without DPoP proof; Gateway returned 401 and incremented ui_dpop_failure_total.
  • Confirmed logs contain ui.security.anomaly event with matching traceId.

Offline mode exercise

  • Deployed console with console.offlineMode=true; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
  • Imported Offline Kit manifest; parity checks report OK status.

Evidence parity

  • Downloaded run evidence bundle via UI, re-exported via CLI stella runs export --run <id>; SHA-256 digests match.
  • Verified Downloads workspace never caches bundle contents (only manifest metadata stored).

Monitoring & alerts

  • Grafana board console-security.json linked to alerts: ui_request_duration_seconds burn-rate, DPoP failure count, downloads manifest verification failures.
  • PagerDuty playbook references docs/security/console-security.md §6 for incident steps.

Sign-off

  • Reviewed by Security Guild (lead: @sec-lfox).
  • Sign-off recorded in Sprint23 tracker (corresponding sprint file docs/implplan/SPRINT_*.md, DOCS-CONSOLE-23-018).