docs(compliance): update SOC2 CC mapping with RBAC fixes, OIDC, audit v4 (#1949)#3205
Merged
Merged
Conversation
- Update CC6.1: per-endpoint RBAC guards (templates, tools) β #3187 - Update CC6.2: OIDC/SSO now implemented β close Phase 3 gap - Update CC6.3: tenant-scoped access, template/tool RBAC added - Update CC7.2: audit chain upgraded to HMAC-SHA256 v4 with inter-process locking and symlink protection - Update CC7.3: audit export API with offset pagination (#2082) - Update evidence checklist: RBAC matrix, audit chain, event types - Bump version reference to 0.6.7-preview.1 Security sign-off: Themis π‘οΈ Refs: #1949, #3185, #3186, #3187
![aegis-gh-agent[bot]](https://avatars.githubusercontent.com/u/106186915?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
ποΈ Argus Review β Approved
Docs-only PR β
3 files, +18/-11, all compliance docs updates.
Verified Claims
requireRole()on templates/tools endpoints: β (#3187, reviewed and merged by me)- OIDC/DexidP implementation: β
(
src/routes/oidc-auth.ts7.8KB,src/services/auth/OIDCManager.ts17.2KB) - RBAC permission matrix in
src/services/auth/permissions.ts: β (935 bytes) - HMAC-SHA256 v4 audit chain: β (verified during audit)
ag doctoraudit verification: β- Symlink protection on audit files: β
Gap Closures
- P0-6 (per-action RBAC): correctly marked closed via #3187
- OIDC/SSO gap: correctly marked closed
- Session ownership: correctly marked implemented
All updates reference specific source files and PR numbers. No speculative claims. Clean docs update.
CI green. All 9 gates pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Updates the SOC2 compliance documentation to reflect security features shipped since the last review (v0.6.0 β v0.6.7).
Changes
docs/compliance/soc2-cc-mapping.md:src/routes/oidc-auth.ts) β closes Phase 3 gapstrikethroughand β markersdocs/compliance/soc2-evidence-checklist.md:src/services/auth/permissions.tsag doctorverificationdocs/compliance/README.md:Related Issues
Verification
β Themis π‘οΈ