Skip to content

Standard 116: Security Hardening Protocol (The "Bridge")

Mandate: "Code does not leave the Local Environment until it is Hardened."

1. The Hardening Phase (The Bridge)

Security Hardening is a distinct phase in the SDLC that occurs after Feature Realization (Sprint G/H/I) and before Staging Verification (Sprint J).

Why?

  • Feature Work is chaotic: It creates "Happy Path" code.
  • Staging is strict: It simulates Production.
  • The Bridge: We must break the "Happy Path" by enforcing limits before we verify functionality.

2. The Hardening Loop (ACLC)

Step 1: Audit (The Scan)

Start by listing the "As-Built" surface area.

  • Identify all public Routes.
  • Identify all exposed Widgets.
  • Compare against 06_CAPABILITY_MATRIX.
  • Tool: scripts/architect/audit-architecture.ts

Step 2: Consolidate ( The Shrink)

Reduce the attack surface by merging redundant interfaces.

  • Rule: "One Job, One Workbench."
  • Action: Merge "Dashboard" views into "Workbench" hubs.
  • Action: Delete "Dev-Only" routes or secure them behind process.env.NODE_ENV.

Step 3: Lock (The Gate)

Apply Access Control Lists (ACLs) to the consolidated surface.

  • Technique: Persona-First Guarding.
  • Do not check user.role === 'admin'.
  • DO check user.hasCapability('GOV-PROP-MANAGE').
  • Layer 1: middleware.ts (Route Protection).
  • Layer 2: Component RBAC (Widget Protection).

Step 4: Certify (The Stamp)

Run the "Access Verification" suite.

  • Test: Attempt to access Admin routes as a Guest.
  • Test: Attempt to use Owner widgets as a Tenant.
  • Exit Criteria: 403 Forbidden on all unauthorized attempts.

3. Implementation Guide

3.1 Route Consolidation

  • Anti-Pattern: /governance/dashboard AND /governance.
  • Standard: /governance IS the dashboard.

3.2 Capability Integration

Use the CapabilityMatrix to map Routes to Permissions.

// navigation.ts
export const ROUTES = {
  "/community/governance": {
    requiredCapability: "GOV-DASH-VIEW",
    fallback: "/unauthorized",
  },
};

4. Integration with Methodology

  • Standard 115 (Backend-First): Defines Data security.
  • Standard 116 (Hardening): Defines Interface security.