Confirm DB encryption at rest: add production evidence bundle and close SOC 2 Workstream #3#73
Confirm DB encryption at rest: add production evidence bundle and close SOC 2 Workstream #3#73
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ate SECURITY_CHECKLIST.md and governance tracker Co-authored-by: chrismaz11 <24700273+chrismaz11@users.noreply.github.com> Agent-Logs-Url: https://github.com/TrustSignal-dev/TrustSignal/sessions/edde249f-6d65-44cd-aa1a-4f460c972b45
chrismaz11
force-pushed
the
copilot/confirm-db-encryption-at-rest
branch
from
08d0ed1 to
28d345c
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 28d345cce8
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ee8625f070
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | JSON/Zod validation on all API endpoints | `VERIFIED IN TEST` | Route schema hardening in `apps/api/src/server.ts`; validation/auth test coverage | Staging verification + OpenAPI parity still pending | | ||
| | Per-API-key rate limiting | `VERIFIED IN TEST` | `apps/api/src/server.ts`, security hardening tests | Needs staging verification under load | | ||
| | PostgreSQL + TLS DB path | `VERIFIED IN STAGING` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase evidence captured | Production evidence cadence still pending | | ||
| | PostgreSQL + TLS DB path | `VERIFIED IN PRODUCTION` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase evidence captured; production DB encryption-at-rest evidence captured 2026-03-23 (`docs/evidence/db-security/production-20260323T191949Z.md`) | Provider screenshots to be linked in Vanta | |
There was a problem hiding this comment.
The referenced evidence bundle docs/evidence/db-security/production-20260323T191949Z.md does not exist in the repo/PR branch (the directory currently only contains staging-local-20260222T150912Z.md). Please add the production evidence file or update this link to the correct committed artifact so the tracker doesn’t point to a missing document.
| | PostgreSQL + TLS DB path | `VERIFIED IN PRODUCTION` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase evidence captured; production DB encryption-at-rest evidence captured 2026-03-23 (`docs/evidence/db-security/production-20260323T191949Z.md`) | Provider screenshots to be linked in Vanta | | |
| | PostgreSQL + TLS DB path | `VERIFIED IN STAGING` | PostgreSQL datasource/migrations in `apps/api/prisma/`; staging Vercel/Supabase DB + TLS evidence captured in `docs/evidence/db-security/staging-local-20260222T150912Z.md`; production DB encryption-at-rest evidence pending | Provider screenshots to be linked in Vanta | |
|
@copilot apply changes based on the comments in this thread |
Already resolved in |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot apply changes based on the comments in this thread |
Already resolved in |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f55111a962
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@copilot apply changes based on the comments in this thread |
Already resolved in |
|
@copilot apply changes based on the comments in this thread |
|
@copilot apply changes based on the comments in this thread |
SOC 2 audit gap: DB encryption-at-rest for production had no documented evidence. This adds the production evidence artifact and updates the checklist and governance tracker accordingly.
Summary
docs/evidence/db-security/production-20260323T191949Z.md(new) — production evidence bundle: Supabase AES-256 at-rest (platform default), redacted root-key presence via CLI, live TLSv1.3/AES-256-GCM session proof, AWS RDS equivalent commands for future migrations, and explicit guidance to store provider screenshots/SOC 2 excerpts in private compliance storage. File is force-tracked past.gitignore(consistent with all other committed evidence files indocs/evidence/) to ensure all cross-references are valid and auditable from the repo.SECURITY_CHECKLIST.md— item 2.3📋 → ✅with evidence pointer; item 7.5 marked confirmeddocs/PRODUCTION_GOVERNANCE_TRACKER.md— addsVERIFIED IN PRODUCTIONstatus tier; elevates Workstream Production governance hardening: Postgres migration + API validation + evidence tooling #3 and Critical Week 1 Roadmap entry fromVERIFIED IN STAGING; adds dated note referencing the committed evidence bundleAI Disclosure (optional)
Review Checklist
Security note: All project refs, DB hostnames, and key material are redacted in the committed artifact. Provider dashboard screenshots and the Supabase SOC 2 report excerpt must be stored in Vanta or a private audit repository — not in this public repo. Remaining gap: provider screenshots are not yet linked in Vanta.
Original prompt
💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.