Files

T

Дмитрий 0a641ba44f docs(audit): RLS dev↔prod gap discovery — Phase A of hole #7

20 cron/job classes analyzed against RLS-protected tables. 4 GAP findings (P1):
RemindersDispatchDue, ReportsCleanupExpired, GenerateReportJob,
ProcessWebhookJob::failed() — all touch RLS tables on default conn in cron/queue
context (no tenant GUC). Fail/silent on prod (crm_app_user), hidden on dev
(postgres superuser). Phase B fixes follow.

2026-05-23 10:03:14 +03:00

2026-05-23-rls-gap-audit.md

docs(audit): RLS dev↔prod gap discovery — Phase A of hole #7

2026-05-23 10:03:14 +03:00

README.md

docs(d3): correct Security Guidance #40 — blocking hook, not warn-only

2026-05-17 07:29:42 +03:00

toolchain-attack-surface.md

docs(audit): toolchain attack-surface procedure + audit/ home (D3 #5 )

2026-05-17 06:15:29 +03:00

README.md

docs/audit — audit procedures and artifacts

This directory is the home of the D3 «Аудит и управление рисками» section of the automation map (docs/automation-graph.html). It holds repeatable audit procedures and their artifacts.

Toolset

/security-review — the customized Anthropic security-review command (.claude/commands/security-review.md).
Trail of Bits Skills — the trailofbits marketplace audit plugins.
Security Guidance — the Anthropic inline-vulnerability hook (blocking PreToolUse, a one-time per-file-and-rule speed-bump).
audit-portal — the project skill encoding the 14-phase portal audit.

Boundaries

Closed decisions and their residual risks → docs/adr/ (see ADR-003).
Open product, business, and legal risks → docs/Открытые_вопросы_v8_3.md.

Procedures

toolchain-attack-surface.md — manual audit of the Claude Code plugin and MCP-server attack surface.