2.2 KiB
2.2 KiB
Security, Risk & Governance
Authoritative sources for threat models, governance, compliance, and security operations.
Policies & Governance
- SECURITY_POLICY.md - responsible disclosure, support windows.
- GOVERNANCE.md - project governance charter.
- CODE_OF_CONDUCT.md - community expectations.
- SECURITY_HARDENING_GUIDE.md - deployment hardening steps.
- policy-governance.md - policy governance specifics.
- LEGAL_FAQ_QUOTA.md - legal interpretation of quota.
- QUOTA_OVERVIEW.md - quota policy reference.
- risk-profiles.md - organisational risk personas.
Threat Models & Security Architecture
- authority-threat-model.md - Authority service threat analysis.
- authority-scopes.md - scope model.
- console-security.md - Console posture guidance.
- pack-signing-and-rbac.md - pack signing, RBAC guardrails.
- policy-governance.md - policy governance controls.
- rate-limits.md - rate limiting behaviour.
- password-hashing.md - credential storage.
Audit, Revocation & Compliance
- audit-events.md - audit event taxonomy.
- revocation-bundle.md & revocation-bundle-example.json - revocation process.
- license-jwt-quota.md - licence/quota enforcement controls.
- QUOTA_ENFORCEMENT_FLOW.md - quota enforcement sequence.
- OFFLINE_KIT.md - tamper-evident offline artefacts.
Supporting Material
- Module operations security notes: authority/operations/key-rotation.md, concelier/operations/authority-audit-runbook.md, zastava/README.md (runtime enforcement).
- observability/policy.md - security-relevant telemetry for policy.