🔒 MVP1 Compliance Baseline Matrix — 38 Services Audited
We have completed a comprehensive compliance audit of all 38 Cert-IX services across 6 security dimensions: Authentication/Authorization, Audit Logging, Secrets Management, Encryption, Input Validation, and Monitoring.
Key Findings​
Gap Summary​
| Priority | Count | Description |
|---|---|---|
| P0 (Blocking) | 10 | Must fix before launch |
| P1 (Important) | 11 | Should fix for launch, can be day-2 |
| P2 (Post-MVP) | 5 | Post-launch improvements |
Gap Distribution by Type​
| Gap Type | P0 | P1 | P2 | Total |
|---|---|---|---|---|
| AUTHN/AUTHZ | 3 | 4 | 1 | 8 |
| AUDIT | 3 | 4 | 1 | 8 |
| SECRETS | 2 | 1 | 0 | 3 |
| ENCRYPT | 1 | 1 | 0 | 2 |
| INPUT | 0 | 1 | 0 | 1 |
| MONITOR | 1 | 0 | 1 | 2 |
Critical P0 Gaps​
- asset-management-service — No direct JWT middleware; relies on Kafka permission check with unsafe fallback
- checkout-orchestration-service — No JWT middleware on HTTP routes
- payment-processing-service — No audit logging for payment operations (PCI DSS requirement)
- scan-worker-service — No audit logging at all
- qr-auth-service — CSRF encryption key falls back to ephemeral value
6 Critical Flows Mapped​
The audit identified and mapped 6 critical end-to-end flows with their complete service chains and Kafka topic dependencies:
- User Registration & Login (P0) — 7 services, 3 Kafka topics
- Vulnerability Scanning (P0) — 5+ services, 3 Kafka topic patterns
- Asset Management (P0) — 5 services, 2 Kafka topics
- Payment & Subscription (P0) — 6 services, 3 Kafka topic patterns
- Compliance & Audit (P1) — 5 services
- Agent Telemetry (P2) — 4 services
Kafka Event Contract Freeze​
All 14 Kafka topic patterns are now frozen at v1.0 for MVP1. Schema versioning rules are in place:
- Every message must include
schema-version: "1.0"header - Only additive changes allowed (new fields only)
- Breaking changes require new topic versions
Remediation Timeline​
| Day | Focus | Effort |
|---|---|---|
| Day 1 | Auth + Scan Flows | 8h |
| Day 2 | Asset + Payment Flows | 8h |
| Day 3 | Cross-Cutting + P1 Critical | 8h |
| Day 4 | Validation + Go/No-Go | 4h |
Total: ~28h (3.5 working days)
Go/No-Go Criteria​
12 criteria must ALL be met before launch, including:
- All P0 gaps remediated
- All 4 E2E flow smoke tests pass
- No hardcoded secrets in any deployed service
- TLS enforced on all external endpoints
- Kafka SSL + Redis TLS enabled for all services
Full Documentation​
Read the complete compliance matrix with all 38 service ratings, flow diagrams, and remediation details in the Compliance Matrix documentation.
This audit was conducted by the Cert-IX Security Engineering team as part of the MVP1 launch readiness process.