stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a3db0c959df7e8c242896f0ff1bcc861a6db8d10
git.stella-ops.org/docs/updates/2025-10-27-console-security-signoff.md
master 90c244948a Update AGENTS.md files across multiple modules to standardize task status update instructions and introduce a new document for Secret Leak Detection operations. 
- Modified task status update instructions in AGENTS.md files to refer to corresponding sprint files as `/docs/implplan/SPRINT_*.md` instead of `docs/implplan/SPRINTS.md`.
- Added a comprehensive document for Secret Leak Detection operations detailing scope, prerequisites, rule bundle lifecycle, enabling the analyzer, policy patterns, observability, troubleshooting, and references.
2025-11-05 11:58:32 +02:00

49 lines
2.6 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Console Security Checklist Sign-off — 2025-10-27
## Summary
- Security Guild completed the console security compliance checklist from [`docs/security/console-security.md`](../security/console-security.md) against the Sprint23 build.
- No blocking findings. One observability note (raise Grafana burn-rate alert to SLO board) was addressed during the run; no follow-up tickets required.
- Result: **PASS** console may progress with Sprint23 release gating.
## Authority client validation
- Ran `stella authority clients show console-ui` in staging; confirmed `pkce.enforced=true`, `dpop.required=true`, and `claim.requireTenant=true`.
- Verified scope bundle matches §3 (baseline `ui.read`, admin set, and per-feature scopes). Results archived under `ops/evidence/console-ui-client-2025-10-27.json`.
## CSP enforcement
- Inspected rendered response headers via `curl -I https://console.stg.stellaops.local/` CSP matches §4 defaults (`default-src 'self'`, `connect-src 'self' https://*.internal`), HSTS + Referrer-Policy present.
- Helm overrides reviewed (`deploy/helm/stellaops/values-prod.yaml`); no extra origins declared.
## Fresh-auth timer
- Executed Playwright admin flow: promoted policy revisions twice; observed fresh-auth modal after 5minutes idle.
- Authority audit feed shows `authority.fresh_auth.success` and `authority.policy.promote` entries sharing correlation IDs.
## DPoP binding test
- Replayed captured bearer token without DPoP proof; Gateway returned `401` and incremented `ui_dpop_failure_total`.
- Confirmed logs contain `ui.security.anomaly` event with matching `traceId`.
## Offline mode exercise
- Deployed console with `console.offlineMode=true`; Offline banner rendered, SSE disabled, CLI guidance surfaced on runs/downloads pages.
- Imported Offline Kit manifest; parity checks report `OK` status.
## Evidence parity
- Downloaded run evidence bundle via UI, re-exported via CLI `stella runs export --run <id>`; SHA-256 digests match.
- Verified Downloads workspace never caches bundle contents (only manifest metadata stored).
## Monitoring & alerts
- Grafana board `console-security.json` linked to alerts: `ui_request_duration_seconds` burn-rate, DPoP failure count, downloads manifest verification failures.
- PagerDuty playbook references `docs/security/console-security.md` §6 for incident steps.
## Sign-off
- Reviewed by **Security Guild** (lead: `@sec-lfox`).
- Sign-off recorded in Sprint23 tracker (corresponding sprint file `docs/implplan/SPRINT_*.md`, `DOCS-CONSOLE-23-018`).
Reference in New Issue View Git Blame Copy Permalink