d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone

Browse Source 
- Add Cloud for Sovereignty landing zone architecture and deployment
- Implement complete legal document management system
- Reorganize documentation with improved navigation
- Add infrastructure improvements (Dockerfiles, K8s, monitoring)
- Add operational improvements (graceful shutdown, rate limiting, caching)
- Create comprehensive project structure documentation
- Add Azure deployment automation scripts
- Improve repository navigation and organization
This commit is contained in:
defiQUG
2025-11-13 09:32:55 -08:00
parent 92cc41d26d
commit 6a8582e54d
202 changed files with 22699 additions and 981 deletions
Download Patch File Download Diff File Expand all files Collapse all files

240
docs/governance/procedures/kyc-aml.md Normal file
View File

@@ -0,0 +1,240 @@
# KYC/AML Standard Operating Procedures (SOP)
**Version:** 1.0
**Date:** November 10, 2025
**Status:** Draft
---
## Overview
This document defines the Standard Operating Procedures (SOPs) for Know Your Customer (KYC), Anti-Money Laundering (AML), and sanctions screening for eResidency and eCitizenship applications.
## Screening Lists
### Sanctions Lists
**Primary Sources:**
* UN Security Council Sanctions
* EU Sanctions
* OFAC (US Treasury)
* UK HM Treasury
* Other relevant jurisdictions
**Update Frequency:**
* Daily automated updates
* Manual review for high-priority updates
* Real-time screening for new applications
### PEP Lists
**Sources:**
* World-Check
* Dow Jones Risk & Compliance
* ComplyAdvantage
* Other commercial providers
**Categories:**
* Heads of State
* Senior government officials
* Senior political party officials
* Senior judicial officials
* Senior military officials
* State-owned enterprise executives
* Close associates and family members
## Risk Scoring
### Risk Factors
**Low Risk:**
* Clear identity verification
* No sanctions matches
* No PEP matches
* Low-risk geography
* Established history
**Medium Risk:**
* Partial identity verification
* Potential PEP match (distant)
* Medium-risk geography
* Limited history
**High Risk:**
* Failed identity verification
* Sanctions match
* Direct PEP match
* High-risk geography
* Suspicious patterns
### Risk Score Calculation
**Formula:**
```
Risk Score = (KYC Risk × 0.4) + (Sanctions Risk × 0.4) + (Geographic Risk × 0.2)
```
**Thresholds:**
* Auto-approve: < 0.3
* Manual review: 0.3 - 0.8
* Auto-reject: > 0.8
## Enhanced Due Diligence (EDD)
### Triggers
**Automatic EDD:**
* PEP match
* High-risk geography
* Risk score > 0.7
* Suspicious patterns
* Large transactions (if applicable)
### EDD Requirements
**Additional Checks:**
* Source of funds verification
* Additional identity documents
* References or attestations
* Background checks
* Enhanced monitoring
### EDD Process
1. Identify EDD trigger
2. Request additional information
3. Verify sources
4. Conduct enhanced screening
5. Risk assessment
6. Decision
## PEP Handling
### PEP Classification
**Direct PEP:**
* Current or former PEP
* Immediate family member
* Close associate
**Indirect PEP:**
* Distant relative
* Former associate
* Historical connection
### PEP Process
**Direct PEP:**
1. Automatic EDD
2. Enhanced screening
3. Manual review required
4. Risk assessment
5. Decision with justification
**Indirect PEP:**
1. Standard EDD
2. Risk assessment
3. Decision based on risk
## Source of Funds
### Requirements
**If Applicable:**
* Fee payments
* Donations
* Service contributions
* Other financial transactions
### Verification
**Methods:**
* Bank statements
* Payment receipts
* Transaction history
* Attestations
* Third-party verification
## Audit Trail
### Requirements
**Documentation:**
* All screening results
* Risk assessments
* Decisions and justifications
* EDD materials
* Audit logs
### Retention
**Periods:**
* KYC artifacts: 365 days (regulatory)
* Application metadata: 6 years
* Audit logs: 7 years
* Credential status: Indefinite
### Access
**Controls:**
* Role-based access
* Audit logging
* Data minimization
* Encryption at rest
* Secure transmission
## Compliance
### Regulatory Requirements
**Jurisdictions:**
* GDPR (EU)
* CCPA (California)
* Other applicable laws
### Reporting
**Obligations:**
* Suspicious activity reports (if applicable)
* Regulatory reporting
* Internal reporting
* Audit reporting
## Testing
### Mock Audit
**Scope:**
* End-to-end process testing
* Risk assessment validation
* EDD trigger testing
* Audit trail verification
* Compliance checks
### Success Criteria
**Requirements:**
* All processes documented
* All decisions justified
* All audit trails complete
* All compliance checks passed
* No critical findings
---
## Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2025-11-10 | CISO | Initial draft |
---
## Approval
**CISO:** _________________ Date: _________
**Chancellor:** _________________ Date: _________
**External Counsel:** _________________ Date: _________

336
docs/governance/procedures/root-key-ceremony.md Normal file
View File

@@ -0,0 +1,336 @@
# Root Key Ceremony Runbook
**Date:** Friday, December 5, 2025, 10:0013:00 PT
**Location:** Secure facility (airgapped room), dualcontrol entry
**Status:** Scheduled
---
## Roles & Responsibilities
### Ceremony Officer
* Leads the ceremony
* Ensures all steps are followed
* Documents all actions
* Coordinates with witnesses
### Key Custodians (3)
* Multi-party control (2-of-3)
* Participate in HSM initialization
* Witness key generation
* Verify backup procedures
### Auditor
* Independent verification
* Reviews all procedures
* Validates artifacts
* Signs off on completion
### Witnesses (2)
* External observers
* Verify procedures
* Sign witness statements
* Maintain independence
### Video Scribe
* Records the ceremony
* Documents all actions
* Creates tamper-evident archive
* Provides notarization support
---
## Pre-Ceremony Checklist
### Week Before
- [ ] Confirm all participants
- [ ] Verify secure facility access
- [ ] Test HSM equipment
- [ ] Prepare tamper-evident bags
- [ ] Schedule notary
- [ ] Prepare ceremony scripts
### Day Before
- [ ] Room sweep & security check
- [ ] Device inventory
- [ ] Hash baseline of all equipment
- [ ] Verify air-gap status
- [ ] Test recording equipment
- [ ] Prepare backup media
### Day Of (Pre-Ceremony)
- [ ] Final room sweep
- [ ] Verify all participants present
- [ ] Check recording equipment
- [ ] Verify HSM status
- [ ] Confirm air-gap maintained
- [ ] Begin video recording
---
## Ceremony Steps
### 1. Room Sweep & Hash Baseline
**Duration:** 15 minutes
**Actions:**
1. Verify room is secure and air-gapped
2. Inventory all devices and equipment
3. Create hash baseline of all equipment
4. Document all serial numbers
5. Verify no unauthorized devices
**Artifacts:**
* Device inventory list
* Hash baseline document
* Room security checklist
### 2. HSM Initialization (M of N)
**Duration:** 30 minutes
**Actions:**
1. Initialize Thales Luna HSM
2. Configure multi-party control (2-of-3)
3. Verify key custodian access
4. Test HSM functionality
5. Document HSM configuration
**Artifacts:**
* HSM configuration document
* Key custodian access logs
* HSM test results
### 3. Generate Root Key
**Duration:** 45 minutes
**Actions:**
1. Generate root key pair in HSM
2. Verify key generation
3. Extract public key
4. Create Certificate Signing Request (CSR)
5. Document key parameters
**Artifacts:**
* Root key generation log
* Public key certificate
* CSR document
* Key parameters document
### 4. Seal Backups
**Duration:** 30 minutes
**Actions:**
1. Create encrypted backups
2. Seal backups in tamper-evident bags
3. Label all backups
4. Verify backup integrity
5. Store backups in secure location
**Artifacts:**
* Backup inventory
* Tamper-evident bag log
* Backup integrity checks
* Storage location record
### 5. Sign Issuing CA
**Duration:** 30 minutes
**Actions:**
1. Generate Issuing CA certificate
2. Sign with root key
3. Verify certificate signature
4. Publish certificate
5. Document certificate details
**Artifacts:**
* Issuing CA certificate
* Certificate signature verification
* Certificate publication record
* Certificate details document
### 6. Publish Fingerprints
**Duration:** 20 minutes
**Actions:**
1. Calculate certificate fingerprints
2. Publish fingerprints publicly
3. Create DID documents (offline)
4. Prepare for online publication
5. Document publication process
**Artifacts:**
* Fingerprint document
* DID documents
* Publication record
* Online bridge preparation
### 7. Record & Notarize Minutes
**Duration:** 30 minutes
**Actions:**
1. Compile ceremony minutes
2. Have all participants sign
3. Notarize minutes
4. Create tamper-evident archive
5. Store original minutes
**Artifacts:**
* Ceremony minutes
* Participant signatures
* Notarized document
* Tamper-evident archive
* Storage record
---
## Artifacts Checklist
### Required Artifacts
- [ ] Root CSR
- [ ] CP/CPS v1.0
- [ ] Offline DID documents
- [ ] Hash manifest
- [ ] Sealed tamper-evident bags
- [ ] Ceremony minutes
- [ ] Participant signatures
- [ ] Notarized document
- [ ] Video recording
- [ ] Backup media
### Verification
- [ ] All artifacts present
- [ ] All signatures collected
- [ ] Video recording complete
- [ ] Backups verified
- [ ] Certificates published
- [ ] DID documents prepared
---
## Post-Ceremony Tasks
### Immediate (Day Of)
- [ ] Secure all artifacts
- [ ] Verify backup storage
- [ ] Publish fingerprints
- [ ] Notarize minutes
- [ ] Archive video recording
### Week After
- [ ] Publish DID documents online
- [ ] Update certificate registry
- [ ] Distribute artifacts to custodians
- [ ] Create ceremony report
- [ ] Schedule audit review
### Month After
- [ ] External audit review
- [ ] Update CP/CPS if needed
- [ ] Publish ceremony report
- [ ] Schedule next ceremony review
- [ ] Update procedures based on lessons learned
---
## Security Measures
### Physical Security
* Air-gapped room
* Dual-control entry
* No unauthorized devices
* Continuous video recording
* Witnessed procedures
### Cryptographic Security
* HSM-protected keys
* Multi-party control
* Encrypted backups
* Tamper-evident seals
* Hash verification
### Procedural Security
* Scripted procedures
* Independent verification
* Witnessed actions
* Documented steps
* Notarized records
---
## Incident Response
### Key Compromise
1. Immediately halt ceremony
2. Document incident
3. Notify all participants
4. Secure all artifacts
5. Begin investigation
6. Reschedule ceremony
### Equipment Failure
1. Document failure
2. Verify no key exposure
3. Replace equipment
4. Resume from last verified step
5. Update procedures
### Procedural Error
1. Document error
2. Assess impact
3. Correct if possible
4. Restart affected step
5. Update procedures
---
## Contacts
### Ceremony Officer
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]
### Key Custodians
* Custodian 1: [TBD]
* Custodian 2: [TBD]
* Custodian 3: [TBD]
### Auditor
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]
### Witnesses
* Witness 1: [TBD]
* Witness 2: [TBD]
### Video Scribe
* Name: [TBD]
* Email: [TBD]
* Phone: [TBD]
---
## Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2025-11-10 | Ceremony Officer | Initial runbook |
---
## Approval
**Ceremony Officer:** _________________ Date: _________
**CISO:** _________________ Date: _________
**Founding Council:** _________________ Date: _________

200
docs/governance/procedures/security-audit.md Normal file
View File

@@ -0,0 +1,200 @@
# Security Audit Checklist
This document provides a comprehensive security audit checklist for The Order monorepo.
## Authentication & Authorization
- [ ] All API endpoints require authentication
- [ ] JWT tokens are properly validated and signed
- [ ] DID signatures are cryptographically verified
- [ ] eIDAS certificates are validated with proper chain of trust
- [ ] Role-based access control (RBAC) is enforced
- [ ] Multi-factor authentication (MFA) is supported where required
- [ ] Session management is secure (timeouts, invalidation)
- [ ] Password policies are enforced (if applicable)
- [ ] API keys are stored securely and rotated regularly
- [ ] OAuth2/OIDC flows are implemented correctly
## Secrets Management
- [ ] No hardcoded secrets in code
- [ ] Secrets are stored in AWS Secrets Manager or Azure Key Vault
- [ ] Secrets are rotated regularly
- [ ] Secret access is logged and audited
- [ ] Secrets are encrypted at rest and in transit
- [ ] Environment variables are validated and sanitized
- [ ] Secret caching has appropriate TTL
- [ ] Secrets are never logged or exposed in error messages
## Data Protection
- [ ] Sensitive data is encrypted at rest
- [ ] Data is encrypted in transit (TLS 1.2+)
- [ ] PII is properly handled and protected
- [ ] Data retention policies are enforced
- [ ] Data deletion is secure and audited
- [ ] Database connections use SSL/TLS
- [ ] Database credentials are stored securely
- [ ] Backup encryption is enabled
- [ ] Data masking is used in non-production environments
## Input Validation & Sanitization
- [ ] All user inputs are validated
- [ ] SQL injection prevention (parameterized queries)
- [ ] NoSQL injection prevention
- [ ] XSS prevention (output encoding)
- [ ] CSRF protection is enabled
- [ ] File upload validation (type, size, content)
- [ ] Path traversal prevention
- [ ] Command injection prevention
- [ ] XML/XXE injection prevention
- [ ] LDAP injection prevention
## API Security
- [ ] Rate limiting is implemented
- [ ] API versioning is used
- [ ] CORS is properly configured
- [ ] API authentication is required
- [ ] Request size limits are enforced
- [ ] Response compression is secure
- [ ] API keys are rotated regularly
- [ ] API endpoints are documented
- [ ] API errors don't leak sensitive information
- [ ] Request/response logging doesn't expose secrets
## Cryptography
- [ ] Strong encryption algorithms are used (AES-256, RSA-2048+)
- [ ] Cryptographic keys are managed securely (KMS/HSM)
- [ ] Key rotation is implemented
- [ ] Cryptographic randomness is secure
- [ ] Hash functions are secure (SHA-256+)
- [ ] Digital signatures are properly validated
- [ ] Certificate validation is comprehensive
- [ ] TLS configuration is secure (strong ciphers, protocols)
## Infrastructure Security
- [ ] Container images are scanned for vulnerabilities
- [ ] Container images are signed (Cosign)
- [ ] SBOM is generated for all artifacts
- [ ] Infrastructure as Code is reviewed
- [ ] Network policies are enforced
- [ ] Firewall rules are properly configured
- [ ] Load balancers have DDoS protection
- [ ] WAF rules are configured
- [ ] Secrets are not exposed in infrastructure configs
- [ ] Resource limits are enforced
## Dependency Management
- [ ] Dependencies are regularly updated
- [ ] Vulnerable dependencies are identified and patched
- [ ] Dependency scanning is automated (Grype, Trivy)
- [ ] License compliance is checked
- [ ] Unused dependencies are removed
- [ ] Dependency pinning is used where appropriate
- [ ] Supply chain security is monitored
## Logging & Monitoring
- [ ] Security events are logged
- [ ] Logs are stored securely
- [ ] Log retention policies are enforced
- [ ] Sensitive data is not logged
- [ ] Log access is restricted and audited
- [ ] Security monitoring and alerting is configured
- [ ] Incident response procedures are documented
- [ ] Security metrics are tracked
## Compliance
- [ ] GDPR compliance (if applicable)
- [ ] eIDAS compliance
- [ ] ISO 27001 alignment (if applicable)
- [ ] SOC 2 compliance (if applicable)
- [ ] Regulatory requirements are met
- [ ] Privacy policies are up to date
- [ ] Data processing agreements are in place
- [ ] Compliance audits are conducted regularly
## Threat Modeling
- [ ] Threat model is documented
- [ ] Attack surfaces are identified
- [ ] Threat vectors are analyzed
- [ ] Mitigation strategies are implemented
- [ ] Threat model is reviewed regularly
- [ ] New features are threat modeled
- [ ] Third-party integrations are assessed
## Security Testing
- [ ] Penetration testing is conducted regularly
- [ ] Vulnerability scanning is automated
- [ ] Security code review is performed
- [ ] Fuzzing is used for critical components
- [ ] Security regression tests are in place
- [ ] Bug bounty program is considered
- [ ] Security testing is part of CI/CD
## Incident Response
- [ ] Incident response plan is documented
- [ ] Security contacts are identified
- [ ] Incident response team is trained
- [ ] Communication plan is in place
- [ ] Forensics capabilities are available
- [ ] Recovery procedures are documented
- [ ] Post-incident review process exists
## Security Training
- [ ] Security training is provided to developers
- [ ] Security awareness program exists
- [ ] Secure coding guidelines are followed
- [ ] Security best practices are documented
- [ ] Security updates are communicated
## Review Schedule
- **Monthly**: Dependency updates, security patches
- **Quarterly**: Security audit, threat model review
- **Annually**: Penetration testing, compliance audit
- **As needed**: Security incidents, new features, major changes
## Tools & Resources
### Automated Scanning
- **Trivy**: Container and filesystem scanning
- **Grype**: Dependency vulnerability scanning
- **Syft**: SBOM generation
- **ESLint Security Plugin**: Static code analysis
- **SonarQube**: Code quality and security
### Manual Testing
- **OWASP ZAP**: Web application security testing
- **Burp Suite**: Web security testing
- **Nmap**: Network scanning
- **Metasploit**: Penetration testing
### Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework)
## Sign-off
- [ ] Security audit completed
- [ ] Findings documented
- [ ] Remediation plan created
- [ ] Timeline established
- [ ] Stakeholders notified
**Audit Date**: _______________
**Auditor**: _______________
**Next Review Date**: _______________