38 lines
1.4 KiB
Markdown
38 lines
1.4 KiB
Markdown
|
# Secret Boundary Drill
|
||
|
|
|
||
|
|
- Generated at: 2026-03-27 18:19:30 +08:00
|
||
|
|
- Source DB: D:\project\data\user_management.db
|
||
|
|
- Isolated DB: D:\project\docs\evidence\ops\2026-03-27\secret-boundary\20260327-181910\user_management.secret-boundary.db
|
||
|
|
- Isolated config: D:\project\docs\evidence\ops\2026-03-27\secret-boundary\20260327-181910\config.secret-boundary.yaml
|
||
|
|
|
||
|
|
## Template Validation
|
||
|
|
|
||
|
|
- config template jwt.secret blank: True
|
||
|
|
- config template postgresql.password blank: True
|
||
|
|
- config template mysql.password blank: True
|
||
|
|
- forbidden placeholders removed from configs/config.yaml: True
|
||
|
|
- .gitignore protects local JWT key files: True
|
||
|
|
- .gitignore protects .env files: True
|
||
|
|
|
||
|
|
## Runtime Injection Validation
|
||
|
|
|
||
|
|
- Startup path: UMS_CONFIG_PATH + UMS_JWT_ALGORITHM + UMS_JWT_SECRET
|
||
|
|
- Synthetic JWT algorithm injected: HS256
|
||
|
|
- Synthetic JWT secret length: 45
|
||
|
|
- GET /health: pass
|
||
|
|
- GET /health/ready: pass
|
||
|
|
- GET /api/v1/auth/capabilities: {"password":true,"email_activation":false,"email_code":false,"sms_code":false,"password_reset":false,"admin_bootstrap_required":false,"oauth_providers":[]}
|
||
|
|
|
||
|
|
## Scope Note
|
||
|
|
|
||
|
|
- This drill proves the repo-level secret boundary and environment injection path are executable locally.
|
||
|
|
- It does not prove external secrets manager, KMS rotation, or CI/CD environment delivery evidence.
|
||
|
|
|
||
|
|
## Evidence Files
|
||
|
|
|
||
|
|
- server.stdout.log
|
||
|
|
- server.stderr.log
|
||
|
|
- capabilities.json
|
||
|
|
- config.secret-boundary.yaml
|
||
|
|
|