feat: complete enterprise security model audit hardening

.gitattributes

@@ -0,0 +1,8 @@
+* text=auto
+*.sh text eol=lf
+*.ps1 text eol=lf
+*.bicep text eol=lf
+*.json text eol=lf
+*.md text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf

.github/workflows/ci.yml

@@ -3,32 +3,47 @@ name: CI
 on:
   pull_request:
   push:
-    branches: [ main ]
+    branches: [main]
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   lint:
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Markdown lint
-        uses: avto-dev/markdown-lint@v1
+        uses: avto-dev/markdown-lint@04687db2e9b72c18a4dfce687923a8daa3e4b543 # v1
         with:
           args: 'docs/**/*.md README.md CONTRIBUTING.md SECURITY.md'
 
       - name: Link check
-        uses: lycheeverse/lychee-action@v1
+        uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621 # v1
         with:
           args: '--verbose --no-progress docs/**/*.md README.md'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Verify Mermaid blocks
-        run: |
-          grep -rl '```mermaid' docs README.md
+        run: grep -rl '```mermaid' docs README.md
 
       - name: Validate JSON formatting
         run: |
-          find impl -name '*.json' 2>/dev/null | while read f; do
-            jq empty "$f"
-          done
+          find impl -name '*.json' -print0 |
+            xargs -0 -n1 jq empty
+
+      - name: Install Bicep CLI
+        run: az bicep install
+
+      - name: Validate repository contracts
+        run: bash scripts/validate-repository.sh

.github/workflows/static.yml

@@ -1,43 +1,38 @@
-# Simple workflow for deploying static content to GitHub Pages
+# Deploy the public documentation surface only.
 name: Deploy static content to Pages
 
 on:
-  # Runs on pushes targeting the default branch
   push:
-    branches: ["main"]
-
-  # Allows you to run this workflow manually from the Actions tab
+    branches: [main]
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
   contents: read
   pages: write
   id-token: write
 
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
-  group: "pages"
+  group: pages
   cancel-in-progress: false
 
 jobs:
-  # Single deploy job since we're just deploying
   deploy:
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
+      - name: Upload documentation artifact
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
-          # Upload entire repository
-          path: '.'
+          path: docs
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4

.planning/audits/20260611-enterprise-audit-fix-continuation.md

@@ -0,0 +1,30 @@
+# Enterprise Audit-Fix Continuation
+
+**Date:** 2026-06-11
+**Source:** `gsd-debug` followed by `gsd-audit-fix --severity all`
+**Branch:** `hardening/enterprise-audit-20260611`
+
+## Outcome
+
+The interrupted audit was resumed after scientifically reproducing and resolving the Azure Arc Bash CRLF failure.
+All remaining defensible auto-fixable findings were processed sequentially and committed atomically. No validation
+failure occurred, so the pipeline completed F-02 through F-08.
+
+## Atomic Results
+
+| ID | Finding | Commit |
+| --- | --- | --- |
+| F-02 | Enforce repository contracts and resolve Arc Bash CRLF failure | `062dfff` |
+| F-03 | Replace Bicep stubs with a secure compilable reference baseline | `4c583c6` |
+| F-04 | Replace fictional policy references and define safe rollout defaults | `8ef9375` |
+| F-05 | Define fail-closed Azure Arc dry-run onboarding contracts | `64a4f1a` |
+| F-06 | Connect assets, trust boundaries, threats, controls, and residual risk | `073fa1d` |
+| F-07 | Define evidence ownership, integrity, collection, and failure handling | `03e79e2` |
+| F-08 | Add bounded Sentinel KQL references and tuning metadata | `76076e6` |
+
+## Remaining Manual Work
+
+- Select and approve production identity, tenant hierarchy, and deployment identities.
+- Validate controls against a representative live Azure and Azure Local estate.
+- Obtain independent compliance and legal review before assurance claims.
+- Choose the production SIEM automation approval model and incident containment authority.

.planning/debug/arc-onboard-crlf-bash-syntax.md

@@ -0,0 +1,38 @@
+---
+status: resolved
+trigger: arc-onboard.sh CRLF/bash syntax failure
+created: 2026-06-11
+updated: 2026-06-11
+---
+
+# Symptoms
+
+- Expected: `bash -n impl/hybrid/azure-arc/onboarding/arc-onboard.sh` exits successfully.
+- Actual: Bash reports a syntax error at the closing brace on line 20.
+- Reproduction: Run the command from the repository root on Windows or Linux Bash.
+
+# Current Focus
+
+- hypothesis: CRLF line endings leave a carriage return attached to the closing brace.
+- test: Add a repository validator that rejects CRLF in shell files and runs `bash -n`.
+- expecting: The validator fails before normalization and passes after LF normalization.
+- next_action: Complete repository-wide validation and commit the fix.
+
+# Evidence
+
+- timestamp: 2026-06-11
+  observation: Format-Hex shows `0D 0A` line endings throughout arc-onboard.sh.
+- timestamp: 2026-06-11
+  observation: Bash reports `syntax error near unexpected token '}'` and displays a carriage return after the tee command.
+
+# Eliminated
+
+- hypothesis: The brace-and-pipe Bash syntax is invalid.
+  reason: The syntax is valid when line endings are LF.
+
+# Resolution
+
+- root_cause: CRLF line endings attached a carriage return to the Bash closing brace.
+- fix: Enforced LF through .gitattributes and normalized arc-onboard.sh.
+- verification: Repository validator rejects CRLF and bash -n now passes.
+- files_changed: .gitattributes, scripts/validate-repository.sh, arc-onboard.sh

.planning/phases/01-enterprise-audit/01-UAT.md

@@ -0,0 +1,33 @@
+# Enterprise Security Model Audit
+
+**Date:** 2026-06-11
+**Source:** `gsd-audit-fix --severity all --max 8`
+**Scope:** Threat model, controls, Azure and hybrid design, Bicep, CI, evidence, and documentation
+
+## Classification
+
+| ID | Severity | Finding | Classification | Reason |
+| --- | --- | --- | --- | --- |
+| F-01 | High | CI uses mutable action tags and lacks explicit least-privilege defaults, timeouts, and concurrency controls. | Auto-fixable | Specific workflow files and objectively testable controls. |
+| F-02 | High | CI validates formatting only; Bicep, onboarding scripts, Mermaid files, security examples, and repository contracts are not enforced. | Auto-fixable | A repository validator and CI invocation provide a bounded fix. |
+| F-03 | High | Landing-zone Bicep modules return strings but deploy no resources or secure defaults. | Auto-fixable | Existing module boundaries support a compilable reference implementation. |
+| F-04 | High | Policy-as-code examples reference fictional policy IDs and do not define rollout safety metadata. | Auto-fixable | Existing JSON examples can use documented built-in policy IDs and safe enforcement defaults. |
+| F-05 | Medium | Azure Arc onboarding examples accept unvalidated input, write ambiguous logs, and lack an explicit dry-run contract. | Auto-fixable | Two bounded scripts have clear safety behavior and syntax validation. |
+| F-06 | High | The service model has no formal threat model connecting assets, trust boundaries, threats, controls, and residual risk. | Auto-fixable | A public-safe architecture threat model can be added and cross-linked. |
+| F-07 | High | Audit evidence guidance does not define ownership, integrity, access, collection automation, or evidence failure handling. | Auto-fixable | The evidence contract can be made explicit in the existing audit document. |
+| F-08 | Medium | Sentinel analytic examples contain TODO queries, so detection claims are not testable or operationally credible. | Auto-fixable | Existing examples can contain safe, bounded KQL and tuning metadata. |
+
+## Manual-only Findings
+
+| ID | Severity | Finding | Reason |
+| --- | --- | --- | --- |
+| M-01 | High | Select the production identity, tenant hierarchy, and least-privilege deployment identities. | Requires organization-specific identity and management-group decisions. |
+| M-02 | High | Validate controls against a live Azure and Azure Local estate. | Requires tenant access, representative workloads, and approved test windows. |
+| M-03 | High | Obtain independent compliance and legal review before claiming certification or regulatory sufficiency. | Requires qualified external assurance and organization-specific obligations. |
+| M-04 | Medium | Choose the production SIEM automation approval model and incident containment authority. | Requires risk appetite and operating-model decisions. |
+
+## Stop Conditions
+
+- Stop after the first failed validation and record unattempted findings.
+- Do not deploy resources or mutate a live Azure tenant.
+- Do not claim certification, compliance, or production readiness from reference artifacts alone.

.planning/phases/01-enterprise-audit/01-VERIFICATION.md

@@ -0,0 +1,48 @@
+# Enterprise Audit Verification
+
+**Date:** 2026-06-11
+**Branch:** `hardening/enterprise-audit-20260611`
+**Pipeline status:** Complete for all auto-fixable findings
+
+## Result
+
+| ID | Finding | Status | Commit |
+| --- | --- | --- | --- |
+| F-01 | Harden workflow trust boundaries | Fixed and validated | `40c053a` |
+| F-02 | Enforce repository contracts in CI | Fixed and validated | `062dfff` |
+| F-03 | Deployable secure Bicep reference | Fixed and validated | `4c583c6` |
+| F-04 | Credible policy-as-code examples | Fixed and validated | `8ef9375` |
+| F-05 | Safe Azure Arc onboarding contract | Fixed and validated | `64a4f1a` |
+| F-06 | Formal threat model | Fixed and validated | `073fa1d` |
+| F-07 | Evidence integrity contract | Fixed and validated | `03e79e2` |
+| F-08 | Testable Sentinel detections | Fixed and validated | `76076e6` |
+
+## CRLF Debug Resolution
+
+`bash -n impl/hybrid/azure-arc/onboarding/arc-onboard.sh` failed because the committed CRLF line endings attached a
+carriage return to the closing brace. The repository now enforces LF for shell files, validates line endings and Bash
+syntax, and records the resolved GSD debug session in `.planning/debug/arc-onboard-crlf-bash-syntax.md`.
+
+## Validation
+
+- Repository contract validator passed.
+- Bash syntax and Azure Arc dry-run behavior passed.
+- PowerShell onboarding script parsed successfully.
+- Landing-zone Bicep compiled successfully.
+- JSON policy and Sentinel examples parsed successfully.
+- Workflow YAML parsed successfully.
+- Markdown documentation checks passed.
+- Third-party actions are pinned to immutable SHAs.
+- `git diff --check` passed.
+
+## Manual-only Findings
+
+- Select production identity, tenant hierarchy, and deployment identities.
+- Validate controls against a representative live Azure and Azure Local estate.
+- Obtain independent compliance and legal review before making assurance claims.
+- Choose production SIEM automation approval and containment authority.
+
+## Assurance Boundary
+
+No resources were deployed and no live Azure tenant was mutated. Reference artifacts require tenant-specific design,
+approvals, testing, and independent assurance before production use.

README.md

@@ -80,6 +80,7 @@ pretending to be those services.
 - Runbooks: [`docs/20-runbooks/README.md`](docs/20-runbooks/README.md)
 - Templates: [`docs/21-templates/README.md`](docs/21-templates/README.md)
 - Diagrams: [`docs/22-diagrams/README.md`](docs/22-diagrams/README.md)
+- Threat model: [`docs/23-threat-model.md`](docs/23-threat-model.md)
 - Static site: [`docs/index.html`](docs/index.html)
 - [Wiki](https://github.com/Coding-Autopilot-System/cloud-security-service-model/wiki) - overview, service definition, architecture, metrics & compliance
 

docs/04-reference-architecture.md

@@ -35,3 +35,4 @@ Shared responsibility overview: [`22-diagrams/shared-responsibility.mmd`](22-dia
 ## Related docs
 - Architecture principles: [`03-architecture-principles.md`](03-architecture-principles.md)
 - Hybrid/Azure Local: [`18-hybrid-azure-local.md`](18-hybrid-azure-local.md)
+- Threat model: [`23-threat-model.md`](23-threat-model.md)

docs/09-risk-management.md

@@ -25,3 +25,4 @@
 ## Related docs
 - Audit readiness: [`10-audit-readiness.md`](10-audit-readiness.md)
 - Exception handling: [`13-exception-handling.md`](13-exception-handling.md)
+- Threat model: [`23-threat-model.md`](23-threat-model.md)

docs/10-audit-readiness.md

@@ -1,30 +1,82 @@
 # Audit Readiness
 
+## Assurance boundary
+
+This repository defines an evidence operating contract and reference controls. It does not prove certification,
+regulatory compliance, or the effectiveness of a production tenant. Evidence must be validated against the applicable
+scope, obligations, and approved assurance process.
+
+## Evidence contract
+
+Every evidence item must contain:
+
+- Control and requirement identifiers, scope, environment, and evidence owner
+- Source system, collection method, collection identity, and collection timestamp
+- Correlation values such as change ID, run ID, commit SHA, deployment ID, or incident ID
+- Retention class, access classification, integrity method, and review status
+- Collection result, validation result, exceptions, and remediation or escalation reference
+
+Evidence owners are accountable for collection health, access reviews, validation, retention, and timely remediation.
+Control owners are accountable for deciding whether the evidence demonstrates the intended control outcome.
+
 ## Evidence model
-| Control area | Evidence | Source | Retention |
-| --- | --- | --- | --- |
-| Access control | PIM activation logs, role review reports | IAM/PIM | 1 year |
-| Logging | SIEM ingestion reports, log retention policy | SIEM, Log Analytics | 1 year |
-| Incident response | Incident records, postmortems | ITSM/SecOps | 2 years |
-| Change management | Change tickets, approvals | ITSM | 2 years |
-| Policy compliance | Compliance reports, policy assignments | Policy dashboard | 1 year |
+
+| Control area | Evidence | Source | Owner | Collection | Retention |
+| --- | --- | --- | --- | --- | --- |
+| Access control | PIM activations and access reviews | Entra ID / PIM | Identity owner | Daily export and quarterly review | 1 year |
+| Logging | Ingestion health, retention, and analytic results | SIEM / Log Analytics | SecOps owner | Continuous health plus monthly sample | 1 year |
+| Incident response | Incident record, timeline, and postmortem | ITSM / SecOps | Incident manager | Event-driven export at closure | 2 years |
+| Change management | Change, approval, commit, and deployment correlation | ITSM / GitHub / Azure | Platform owner | Per deployment | 2 years |
+| Policy compliance | Assignment, exemption, and compliance snapshots | Azure Policy | Policy owner | Daily snapshot and monthly review | 1 year |
+
+## Integrity and storage requirements
+
+- Store evidence in a dedicated protected location separate from the producing workload.
+- Use least-privilege managed identities for automated collection and read-only roles for reviewers.
+- Enable immutable or write-once retention where obligations require it; document approved deletion and legal hold.
+- Preserve source timestamps and correlation identifiers. Generate and verify hashes for exported evidence packages.
+- Log evidence reads, writes, exports, retention changes, and access-policy changes.
+- Encrypt evidence in transit and at rest; prohibit secrets, access tokens, and unnecessary personal data.
+
+## Automated collection and validation
+
+1. Collect through scheduled or event-driven jobs using managed identity and bounded scopes.
+2. Validate schema, source, expected time window, completeness, hash, and correlation identifiers.
+3. Record collection and validation outcomes in a separate health log.
+4. Alert the evidence owner and control owner on missing, late, malformed, or integrity-failed evidence.
+5. Sample evidence monthly and test restoration and access at least quarterly.
+
+## Evidence failure handling
+
+Evidence failure is a control-operating issue, not an administrative warning.
+
+- Stop assurance claims and release gates that depend on missing or integrity-failed evidence.
+- Open an incident or control exception with severity based on the affected control and duration.
+- Preserve the failed artifact and collection logs; do not overwrite or silently regenerate them.
+- Restore collection through the approved runbook, document the gap, and assess whether retrospective evidence exists.
+- Require control-owner approval before closing the failure and resuming assurance reporting.
 
 ## ISO 27001:2022 mapping (high level)
+
 | ISO domain | Control intent | Implementation examples |
 | --- | --- | --- |
 | Access control | Ensure least privilege and privileged access management | PIM, break-glass monitoring |
 | Asset management | Maintain inventory and classification | Resource tagging, inventory reports |
-| Logging & monitoring | Detect events and maintain evidence | Centralized logging, SIEM analytics |
+| Logging and monitoring | Detect events and maintain evidence | Centralized logging, SIEM analytics |
 | Incident management | Timely response and recovery | IR playbooks, evidence capture |
-| Change management | Controlled changes to security posture | Change request workflow, CAB-lite |
+| Change management | Controlled changes to security posture | Change request workflow, approvals |
 | Risk management | Identify and treat security risks | Risk register, exception handling |
 
 ## Audit readiness checklist
-- Evidence sources documented for each control intent.
-- Retention periods meet regulatory obligations.
-- Evidence is reviewable and immutable.
-- Exception register is current and signed off.
+
+- Evidence contracts and owners are approved for each control intent.
+- Collection identities and reviewer access are least privilege and reviewed.
+- Retention, immutability, integrity verification, and legal hold meet applicable obligations.
+- Collection health, restoration, and failure escalation are tested.
+- Exceptions and residual risks are current, time-bound, and approved.
 
 ## Related docs
+
 - Risk management: [`09-risk-management.md`](09-risk-management.md)
 - Incident response: [`11-incident-response.md`](11-incident-response.md)
+- Threat model: [`23-threat-model.md`](23-threat-model.md)