docs/compliance.md

Metadata

Purpose: Project documentation source file.
Domain: documentation
Language: md
Bytes: 1350
Lines: 31
Content hash (short): 4b26fba4
Source (start): docs/compliance.md:1
Source (end): docs/compliance.md:31

Indexed Symbols

No indexed functions/methods detected in this file.

Markdown Headings (if applicable)

H1: SOC 2-Ready Controls Baseline (line 1)
H2: Identity and access (line 3)
H2: Data and cryptography (line 10)
H2: Audit and supply chain (line 17)

Source Preview

# SOC 2-Ready Controls Baseline

## Identity and access

- SSO via OIDC/SAML at gateway ingress.
- Mandatory MFA policy for operator access.
- RBAC + attribute policies by workspace.
- Approval workflow for privileged operations.

## Data and cryptography

- TLS external traffic and mTLS internal service mesh.
- Envelope encryption for sensitive metadata (`CredentialRef` payloads in `psa_resources`).
- Credential references only (no raw secret storage).
- Backup and restore validation cadence.

## Audit and supply chain

- Signed execution evidence for workflows.
- Immutable logs shipped to long-term store.
- SBOM generation in CI pipelines.
- Container image signing (Cosign keyless) and verification gates.
- Trivy vulnerability scanning in CI with SARIF upload.
- Dependency review gate on pull requests (`fail-on-severity: high`).
- TruffleHog secret exposure scanning on pull requests and main branch.

Metadata​

Indexed Symbols​

Markdown Headings (if applicable)​

Source Preview​

Metadata

Indexed Symbols

Markdown Headings (if applicable)

Source Preview