Skip to content

Commit 449abb0

Browse files
docs(compliance): update SOC2 CC mapping with RBAC fixes, OIDC, audit v4 (#1949) (#3205)
- Update CC6.1: per-endpoint RBAC guards (templates, tools) β€” #3187 - Update CC6.2: OIDC/SSO now implemented β€” close Phase 3 gap - Update CC6.3: tenant-scoped access, template/tool RBAC added - Update CC7.2: audit chain upgraded to HMAC-SHA256 v4 with inter-process locking and symlink protection - Update CC7.3: audit export API with offset pagination (#2082) - Update evidence checklist: RBAC matrix, audit chain, event types - Bump version reference to 0.6.7-preview.1 Security sign-off: Themis πŸ›‘οΈ Refs: #1949, #3185, #3186, #3187
1 parent 5bc596e commit 449abb0

3 files changed

Lines changed: 18 additions & 11 deletions

File tree

β€Ždocs/compliance/README.mdβ€Ž

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
> **Status:** Pre-compliance (Phase 4 β€” Enterprise GA, not yet active)
44
>
5-
> **Last reviewed:** 2026-05-08 | **Aegis version:** 0.6.0-preview
5+
> **Last reviewed:** 2026-05-11 | **Aegis version:** 0.6.7-preview.1
66
77
This directory contains Aegis's compliance documentation, organized for SOC 2 Type II audit preparation, GDPR adherence, and enterprise security reviews.
88

β€Ždocs/compliance/soc2-cc-mapping.mdβ€Ž

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,13 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
2020
| Master token + per-key roles (admin / operator / viewer) | `src/routes/auth.ts` β€” role-based permission policies | βœ… Implemented |
2121
| Per-key permissions and quotas | `src/config.ts` β€” `ApiKeyPermissions`, quota enforcement middleware | βœ… Implemented |
2222
| Timing-safe token comparison | `src/routes/auth.ts` β€” `crypto.timingSafeEqual()` | βœ… Implemented |
23-
| Session ownership enforcement | `enforceSessionOwnership: true` default; `src/routes/sessions.ts` β€” ownership checks | ⚠️ Partial β€” per-action RBAC not yet granular (P0-6) |
23+
| Session ownership enforcement | `enforceSessionOwnership: true` default; `src/routes/sessions.ts` β€” ownership checks | βœ… Implemented (CC6.3 also covers) |
24+
| Per-endpoint RBAC guards | `requireRole()` on all route handlers including templates and tools (#3187) | βœ… Implemented |
2425
| Dashboard authentication | `dashboard/src/` β€” login gate, token persistence | βœ… Implemented |
2526

2627
**Gap Actions:**
27-
- Implement per-action RBAC (P0-6)
28-
- Complete session ownership enforcement for all session operations (P0-1)
28+
- ~~Implement per-action RBAC (P0-6)~~ βœ… Closed β€” #3187 added `requireRole()` to all endpoints
29+
- ~~Complete session ownership enforcement for all session operations (P0-1)~~ βœ… Closed
2930

3031
### CC6.2 β€” Authentication
3132

@@ -39,7 +40,7 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
3940
| SSE tokens: 60s TTL, single-use, max 5 per key | `src/routes/sessions.ts` β€” SSE endpoint | βœ… Implemented |
4041

4142
**Gap Actions:**
42-
- Add SSO / OIDC support (Phase 3)
43+
- ~~Add SSO / OIDC support (Phase 3)~~ βœ… Closed β€” OIDC/DexidP implemented (`src/routes/oidc-auth.ts`, `src/services/auth/OIDCManager.ts`)
4344
- Implement MFA for dashboard access
4445
- Add mandatory API key expiry and rotation policies
4546

@@ -52,9 +53,12 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
5253
| Three roles with permission policies | `src/config.ts` β€” `admin`, `operator`, `viewer` | βœ… Implemented |
5354
| Session ownership enforcement (default on) | `enforceSessionOwnership: true` | βœ… Implemented |
5455
| Metrics endpoint gated by dedicated token | `src/routes/metrics.ts` β€” metrics auth | βœ… Implemented |
56+
| Tenant-scoped access isolation | `src/routes/context.ts` β€” tenant-scoped session/audit queries | βœ… Implemented |
57+
| Template RBAC guards (CUD=admin+operator, R=all) | `src/routes/templates.ts` β€” #3187 | βœ… Implemented |
58+
| Tool enumeration RBAC (auth required) | `src/routes/session-data.ts` β€” #3187 | βœ… Implemented |
5559

5660
**Gap Actions:**
57-
- Implement per-action RBAC granularity (P0-6)
61+
- ~~Implement per-action RBAC granularity (P0-6)~~ βœ… Closed β€” all endpoints now have `requireRole()` guards (#3187)
5862
- Add attribute-based access control (ABAC) for enterprise tier
5963

6064
### CC6.6 β€” Network Security
@@ -127,7 +131,9 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
127131

128132
| Aegis Feature | Evidence | Status |
129133
|---------------|----------|--------|
130-
| Tamper-evident audit chain (SHA-256, daily rotation) | `src/audit.ts` β€” chained audit logger | βœ… Implemented |
134+
| Tamper-evident audit chain (HMAC-SHA256 v4, daily rotation) | `src/audit.ts` β€” chained audit logger with inter-process locking | βœ… Implemented |
135+
| Audit chain verification (`ag doctor`) | `src/audit.ts` β€” `verify()` method supports v1–v4 records | βœ… Implemented |
136+
| Symlink attack prevention on audit files | `src/audit.ts` β€” `assertNotSymlink()` on all read/write paths | βœ… Implemented |
131137
| Structured JSON logging with token redaction | `src/logger.ts` β€” serializers | βœ… Implemented |
132138
| Stall detection + dead session diagnostics | `src/sessionManager.ts` β€” health checks | βœ… Implemented |
133139
| Alert webhooks for session failures | `src/` β€” webhook alert system | βœ… Implemented |
@@ -145,8 +151,9 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
145151
| Aegis Feature | Evidence | Status |
146152
|---------------|----------|--------|
147153
| Audit logger: key CRUD, quota changes, authenticated calls | `src/audit.ts` β€” event types | βœ… Implemented |
148-
| SHA-256 chained daily audit files | `src/audit.ts` β€” chain integrity | βœ… Implemented |
154+
| HMAC-SHA256 chained daily audit files (v4) | `src/audit.ts` β€” chain integrity with scrypt actor obfuscation | βœ… Implemented |
149155
| Token and secret redaction in all log serializers | `src/logger.ts` β€” redaction rules | βœ… Implemented |
156+
| Audit log export with offset pagination (#2082) | `src/audit.ts` β€” `queryWithOffset()` API | βœ… Implemented |
150157

151158
**Gap Actions:**
152159
- Add SIEM integration guide

β€Ždocs/compliance/soc2-evidence-checklist.mdβ€Ž

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
| 1.1 | API key inventory (hashes, roles, creation dates) | `{stateDir}/keys.json` | Scripted export | Per audit | βœ… Available |
1616
| 1.2 | Key creation / revocation / rotation events | `{stateDir}/audit/YYYY-MM-DD.jsonl` | Audit log query | Continuous | βœ… Available |
1717
| 1.3 | Session ownership enforcement config | `aegis.config.ts` β€” `enforceSessionOwnership` | Config snapshot | Per audit | βœ… Available |
18-
| 1.4 | RBAC permission matrix | `src/config.ts` β€” role definitions | Code review | Per release | βœ… Available |
18+
| 1.4 | RBAC permission matrix | `src/services/auth/permissions.ts` β€” role definitions; `requireRole()` on all routes | Code review | Per release | βœ… Available |
1919
| 1.5 | Dashboard auth configuration | Dashboard login flow test | Manual / automated test | Per release | βœ… Available |
2020

2121
### 2. Authentication Evidence
@@ -41,8 +41,8 @@
4141

4242
| # | Evidence | Source | Collection Method | Frequency | Status |
4343
|---|----------|--------|-------------------|-----------|--------|
44-
| 4.1 | Audit log chain integrity proof | `{stateDir}/audit/` β€” SHA-256 chain | Integrity verification script | Per audit | βœ… Available |
45-
| 4.2 | Audit log coverage (event types) | `src/audit.ts` β€” event type enumeration | Code review | Per release | βœ… Available |
44+
| 4.1 | Audit log chain integrity proof | `{stateDir}/audit/` β€” HMAC-SHA256 v4 chain with inter-process locking | `ag doctor` verification | Per audit | βœ… Available |
45+
| 4.2 | Audit log coverage (event types) | `src/audit.ts` β€” 25+ event types across key, session, permission, driver, terminal, ACP | Code review | Per release | βœ… Available |
4646
| 4.3 | Token redaction verification | `src/logger.ts` β€” redaction rules | Test suite | Per release | βœ… Available |
4747
| 4.4 | Daily rotation verification | Audit file dates | Scripted check | Per audit | βœ… Available |
4848

0 commit comments

Comments
Β (0)