feat(governance): automate identity and comparison coverage
This commit is contained in:
@@ -60,6 +60,16 @@ Any missing stage produces `partial` or `degraded`, never completed.
|
||||
- `scripts/ops/report_security_governance_review.py --strict` is the source release gate.
|
||||
- `/api/ai-automation/security-governance-review` is the protected production readback.
|
||||
|
||||
### 4.1 Database identity controlled cutover
|
||||
|
||||
- `services/auth_identity_service.py` is the single policy for auth mode, trusted proxy CIDRs, role tiers and session identity versioning.
|
||||
- `login_history` is the durable login/audit/lockout source; process-local counters are not authoritative.
|
||||
- `auto` starts with bounded hybrid authority so the current operator is not locked out. Only successful database authentication by an active admin counts toward promotion; two durable success receipts are required by default.
|
||||
- Once the threshold is reached, effective authority becomes database-only without a manual review gate. Legacy shared sessions are revoked on their next request and cannot inherit an admin role from missing fields.
|
||||
- Any password, role, active-state or identity timestamp change invalidates the signed session through its durable identity version.
|
||||
- Account creation, identity updates, password changes, account disablement and permission changes must commit their no-secret `login_history` audit event in the same database transaction; failures roll back both the mutation and its audit.
|
||||
- `scripts/ops/report_auth_identity_governance.py` returns counts and control state only; it must never return password hashes, secret values or raw sessions.
|
||||
|
||||
### 5. Legacy policy sunset
|
||||
|
||||
| Legacy policy | Owner | Expiry | Replacement | Verifier |
|
||||
|
||||
Reference in New Issue
Block a user