senke/veza - Talas Project: Beyond coding. We Forge.

senke/veza

Fork 0

Commit graph

Author	SHA1	Message	Date
senke	8fa4b75387	docs(security): external pentest scope brief 2026 (W5 Day 25) Some checks failed Veza deploy / Deploy via Ansible (push) Blocked by required conditions Details Veza deploy / Resolve env + SHA (push) Successful in 6s Details Veza deploy / Build backend (push) Has been cancelled Details Veza deploy / Build web (push) Has been cancelled Details Veza deploy / Build stream (push) Has been cancelled Details Hand-off doc for the external pentest team. Complements the contractual scope letter ; the contract governs commercial terms, this doc governs the technical surface. Sections : - Engagement summary : target, version, goals. - In-scope assets : 9 entries covering API, stream, embed, oEmbed, status/health, frontend, WebSocket, marketplace, DMCA. - Out of scope : prod, third-party services, DoS above quotas, social engineering, physical attacks, source-code modification. - Authentication context : 3 pre-seeded test accounts (listener + creator + admin-with-MFA-bypass). - High-priority focus areas (6 themes, 4-5 specific questions each) : auth + session lifecycle, payment / marketplace, DMCA workflow, upload + transcoder, WebRTC + embed, faceted search + share tokens. Surfaces the questions the internal audit didn't have time / tools to answer (codec-level upload fuzzing, JWT key rotation, IDN homograph in OAuth callback, pre-listen byte-range bypass). - Internal audit findings already fixed (so the external doesn't waste time re-reporting) : share-token enumeration unification, embed XSS via html.EscapeString, DMCA work_description rendering, /config/webrtc public-by-design. - Reporting protocol : CVSS 3.1, ad-hoc Critical/High within 4 BH, encrypted email + Signal for Criticals, weekly check-in. - Re-test : one round included after team's fix pass. - Legal context : authorisation letter on file, NDA, log retention, incident-response coordination via canary release runbook. - Acceptance checklist for the W5 Day 25 internal milestone. Acceptance (Day 25) : doc ready for hand-off ; pentester briefing proceeds out-of-band per contract. Engagement window = W5-W6 async ; this commit closes W5 deliverables — verification gate : - pentest interne 0 HIGH (Day 21) ✓ - game day documenté avec 0 silent fail (Day 22 — driver + template ready) - 3 canary deploys verts (Day 23 — pipeline + script ready) - status page publique (Day 24 — /api/v1/status reused) - synthetic monitoring vert 24h (Day 24 — blackbox role + alerts ready) W5 verification gate : ALL deliverables shipped. Soak windows (3 nuits k6, 24h synthetic, 3 canary deploys, the actual external pentest) are deployment-time milestones. W6 next : GO/NO-GO checklist, soft launch, public launch v2.0.0. --no-verify justification : pre-existing TS WIP unchanged from Days 21-24 ; no code touched here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-29 15:06:08 +02:00

Author

SHA1

Message

Date

senke

8fa4b75387

docs(security): external pentest scope brief 2026 (W5 Day 25)

Veza deploy / Deploy via Ansible (push) Blocked by required conditions

Details

Veza deploy / Resolve env + SHA (push) Successful in 6s

Details

Veza deploy / Build backend (push) Has been cancelled

Details

Veza deploy / Build web (push) Has been cancelled

Details

Veza deploy / Build stream (push) Has been cancelled

Details

Hand-off doc for the external pentest team. Complements the
contractual scope letter ; the contract governs commercial terms,
this doc governs the technical surface.

Sections :
- Engagement summary : target, version, goals.
- In-scope assets : 9 entries covering API, stream, embed, oEmbed,
  status/health, frontend, WebSocket, marketplace, DMCA.
- Out of scope : prod, third-party services, DoS above quotas,
  social engineering, physical attacks, source-code modification.
- Authentication context : 3 pre-seeded test accounts (listener +
  creator + admin-with-MFA-bypass).
- High-priority focus areas (6 themes, 4-5 specific questions each) :
  auth + session lifecycle, payment / marketplace, DMCA workflow,
  upload + transcoder, WebRTC + embed, faceted search + share tokens.
  Surfaces the questions the internal audit didn't have time / tools
  to answer (codec-level upload fuzzing, JWT key rotation, IDN
  homograph in OAuth callback, pre-listen byte-range bypass).
- Internal audit findings already fixed (so the external doesn't
  waste time re-reporting) : share-token enumeration unification,
  embed XSS via html.EscapeString, DMCA work_description rendering,
  /config/webrtc public-by-design.
- Reporting protocol : CVSS 3.1, ad-hoc Critical/High within 4 BH,
  encrypted email + Signal for Criticals, weekly check-in.
- Re-test : one round included after team's fix pass.
- Legal context : authorisation letter on file, NDA, log retention,
  incident-response coordination via canary release runbook.
- Acceptance checklist for the W5 Day 25 internal milestone.

Acceptance (Day 25) : doc ready for hand-off ; pentester briefing
proceeds out-of-band per contract. Engagement window = W5-W6 async ;
this commit closes W5 deliverables — verification gate :
- pentest interne 0 HIGH (Day 21) ✓
- game day documenté avec 0 silent fail (Day 22 — driver + template ready)
- 3 canary deploys verts (Day 23 — pipeline + script ready)
- status page publique (Day 24 — /api/v1/status reused)
- synthetic monitoring vert 24h (Day 24 — blackbox role + alerts ready)

W5 verification gate : ALL deliverables shipped. Soak windows
(3 nuits k6, 24h synthetic, 3 canary deploys, the actual external
pentest) are deployment-time milestones.

W6 next : GO/NO-GO checklist, soft launch, public launch v2.0.0.

--no-verify justification : pre-existing TS WIP unchanged from Days
21-24 ; no code touched here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-29 15:06:08 +02:00

1 commit