Security Model

• Provider: Supabase Auth — battle-tested, OWASP-aligned.
• Session: HttpOnly, Secure, SameSite=Lax cookies. 8-hour inactivity timeout.
• Lockout: Progressive — 1m → 5m → 15m → 60m after repeated failed sign-ins.
• MFA & SSO: Roadmap. Enterprise SAML / OIDC and TOTP MFA planned.

Nine roles form a strict hierarchy: Viewer, Auditor, External Vendor, Member, Control Owner, Risk Manager, Compliance Officer, Admin, Owner. Each API handler declares its required action and entity; the RBAC layer denies by default.

• In transit: TLS 1.3 enforced. HSTS preload (max-age=63072000).
• At rest: AES-256 on Postgres and Supabase Storage.
• Secrets: Stored in Vercel encrypted env vars; never logged.

Evidence and SBOM uploads are stored in private buckets. Downloads use short-lived signed URLs (1-hour TTL) issued only after the API re-verifies that the requester'sorgId matches the file path prefix.

Every mutation is recorded via logAudit() with before/after snapshots, actor, entity type, entity id, and timestamp. Audit entries are immutable and queryable via /dashboard/audit-logs.

• Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
• Content-Security-Policy: default-src 'self'; frame-ancestors 'none'
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy: camera=(), microphone=(), geolocation=()

• T1 — Cross-tenant read: mitigated by orgId scoping + code review.
• T2 — Privilege escalation: mitigated by deny-by-default RBAC + audit trail.
• T3 — Credential stuffing: mitigated by progressive lockout + rate limiting.
• T4 — Evidence leakage: mitigated by signed URLs + path verification.
• T5 — Supply-chain compromise: mitigated by dependency pinning and automated scanning.