Security, Risk & Governance

Authoritative sources for threat models, governance, compliance, and security operations.

Policies & Governance

• …/13_SECURITY_POLICY.md – responsible disclosure, support windows.
• …/11_GOVERNANCE.md – project governance charter.
• …/12_CODE_OF_CONDUCT.md – community expectations.
• …/17_SECURITY_HARDENING_GUIDE.md – deployment hardening steps.
• …/security/policy-governance.md – policy governance specifics.
• …/29_LEGAL_FAQ_QUOTA.md – legal interpretation of quota.
• …/33_333_QUOTA_OVERVIEW.md – quota policy reference.
• …/risk/risk-profiles.md – organisational risk personas.

Threat Models & Security Architecture

• …/security/authority-threat-model.md – Authority service threat analysis.
• …/security/authority-scopes.md – scope model.
• …/security/console-security.md – Console posture guidance.
• …/security/pack-signing-and-rbac.md – pack signing, RBAC guardrails.
• …/security/policy-governance.md – policy governance controls.
• …/security/rate-limits.md – rate limiting behaviour.
• …/security/password-hashing.md – credential storage.

Audit, Revocation & Compliance

• …/security/audit-events.md – audit event taxonomy.
• …/security/revocation-bundle.md & …/security/revocation-bundle-example.json – revocation process.
• …/license-jwt-quota.md – licence/quota enforcement controls.
• …/30_QUOTA_ENFORCEMENT_FLOW1.md – quota enforcement sequence.
• …/10_OFFLINE_KIT.md & …/24_OFFLINE_KIT.md – tamper-evident offline artefacts.
• …/security/ – browse for additional deep dives (audit, scopes, rate limits).

Supporting Material

• Module operations security notes: …/…/modules/authority/operations/key-rotation.md, …/…/modules/concelier/operations/authority-audit-runbook.md, …/…/modules/zastava/README.md (runtime enforcement).
• …/observability/policy.md – security-relevant telemetry for policy.
• …/updates/2025-10-27-console-security-signoff.md & …/updates/2025-10-31-console-security-refresh.md – recent security sign-offs.