@@ -20,12 +20,13 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
2020| Master token + per-key roles (admin / operator / viewer) | ` src/routes/auth.ts ` β role-based permission policies | β
Implemented |
2121| Per-key permissions and quotas | ` src/config.ts ` β ` ApiKeyPermissions ` , quota enforcement middleware | β
Implemented |
2222| Timing-safe token comparison | ` src/routes/auth.ts ` β ` crypto.timingSafeEqual() ` | β
Implemented |
23- | Session ownership enforcement | ` enforceSessionOwnership: true ` default; ` src/routes/sessions.ts ` β ownership checks | β οΈ Partial β per-action RBAC not yet granular (P0-6) |
23+ | Session ownership enforcement | ` enforceSessionOwnership: true ` default; ` src/routes/sessions.ts ` β ownership checks | β
Implemented (CC6.3 also covers) |
24+ | Per-endpoint RBAC guards | ` requireRole() ` on all route handlers including templates and tools (#3187 ) | β
Implemented |
2425| Dashboard authentication | ` dashboard/src/ ` β login gate, token persistence | β
Implemented |
2526
2627** Gap Actions:**
27- - Implement per-action RBAC (P0-6)
28- - Complete session ownership enforcement for all session operations (P0-1)
28+ - ~~ Implement per-action RBAC (P0-6)~~ β
Closed β # 3187 added ` requireRole() ` to all endpoints
29+ - ~~ Complete session ownership enforcement for all session operations (P0-1)~~ β
Closed
2930
3031### CC6.2 β Authentication
3132
@@ -39,7 +40,7 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
3940| SSE tokens: 60s TTL, single-use, max 5 per key | ` src/routes/sessions.ts ` β SSE endpoint | β
Implemented |
4041
4142** Gap Actions:**
42- - Add SSO / OIDC support (Phase 3)
43+ - ~~ Add SSO / OIDC support (Phase 3) ~~ β
Closed β OIDC/DexidP implemented ( ` src/routes/oidc-auth.ts ` , ` src/services/auth/OIDCManager.ts ` )
4344- Implement MFA for dashboard access
4445- Add mandatory API key expiry and rotation policies
4546
@@ -52,9 +53,12 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
5253| Three roles with permission policies | ` src/config.ts ` β ` admin ` , ` operator ` , ` viewer ` | β
Implemented |
5354| Session ownership enforcement (default on) | ` enforceSessionOwnership: true ` | β
Implemented |
5455| Metrics endpoint gated by dedicated token | ` src/routes/metrics.ts ` β metrics auth | β
Implemented |
56+ | Tenant-scoped access isolation | ` src/routes/context.ts ` β tenant-scoped session/audit queries | β
Implemented |
57+ | Template RBAC guards (CUD=admin+operator, R=all) | ` src/routes/templates.ts ` β #3187 | β
Implemented |
58+ | Tool enumeration RBAC (auth required) | ` src/routes/session-data.ts ` β #3187 | β
Implemented |
5559
5660** Gap Actions:**
57- - Implement per-action RBAC granularity (P0-6)
61+ - ~~ Implement per-action RBAC granularity (P0-6) ~~ β
Closed β all endpoints now have ` requireRole() ` guards ( # 3187 )
5862- Add attribute-based access control (ABAC) for enterprise tier
5963
6064### CC6.6 β Network Security
@@ -127,7 +131,9 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
127131
128132| Aegis Feature | Evidence | Status |
129133| ---------------| ----------| --------|
130- | Tamper-evident audit chain (SHA-256, daily rotation) | ` src/audit.ts ` β chained audit logger | β
Implemented |
134+ | Tamper-evident audit chain (HMAC-SHA256 v4, daily rotation) | ` src/audit.ts ` β chained audit logger with inter-process locking | β
Implemented |
135+ | Audit chain verification (` ag doctor ` ) | ` src/audit.ts ` β ` verify() ` method supports v1βv4 records | β
Implemented |
136+ | Symlink attack prevention on audit files | ` src/audit.ts ` β ` assertNotSymlink() ` on all read/write paths | β
Implemented |
131137| Structured JSON logging with token redaction | ` src/logger.ts ` β serializers | β
Implemented |
132138| Stall detection + dead session diagnostics | ` src/sessionManager.ts ` β health checks | β
Implemented |
133139| Alert webhooks for session failures | ` src/ ` β webhook alert system | β
Implemented |
@@ -145,8 +151,9 @@ Security is the **required** Trust Services category for SOC 2. The Common Crite
145151| Aegis Feature | Evidence | Status |
146152| ---------------| ----------| --------|
147153| Audit logger: key CRUD, quota changes, authenticated calls | ` src/audit.ts ` β event types | β
Implemented |
148- | SHA-256 chained daily audit files | ` src/audit.ts ` β chain integrity | β
Implemented |
154+ | HMAC-SHA256 chained daily audit files (v4) | ` src/audit.ts ` β chain integrity with scrypt actor obfuscation | β
Implemented |
149155| Token and secret redaction in all log serializers | ` src/logger.ts ` β redaction rules | β
Implemented |
156+ | Audit log export with offset pagination (#2082 ) | ` src/audit.ts ` β ` queryWithOffset() ` API | β
Implemented |
150157
151158** Gap Actions:**
152159- Add SIEM integration guide
0 commit comments