π MVP1 Compliance Baseline Matrix β 38 Services Audited
We have completed a comprehensive compliance audit of all 38 Cert-IX services across 6 security dimensions: Authentication/Authorization, Audit Logging, Secrets Management, Encryption, Input Validation, and Monitoring.
Key Findingsβ
Gap Summaryβ
| Priority | Count | Description |
|---|---|---|
| P0 (Blocking) | 10 | Must fix before launch |
| P1 (Important) | 11 | Should fix for launch, can be day-2 |
| P2 (Post-MVP) | 5 | Post-launch improvements |
Gap Distribution by Typeβ
| Gap Type | P0 | P1 | P2 | Total |
|---|---|---|---|---|
| AUTHN/AUTHZ | 3 | 4 | 1 | 8 |
| AUDIT | 3 | 4 | 1 | 8 |
| SECRETS | 2 | 1 | 0 | 3 |
| ENCRYPT | 1 | 1 | 0 | 2 |
| INPUT | 0 | 1 | 0 | 1 |
| MONITOR | 1 | 0 | 1 | 2 |
Critical P0 Gapsβ
- asset-management-service β No direct JWT middleware; relies on Kafka permission check with unsafe fallback
- checkout-orchestration-service β No JWT middleware on HTTP routes
- payment-processing-service β No audit logging for payment operations (PCI DSS requirement)
- scan-worker-service β No audit logging at all
- qr-auth-service β CSRF encryption key falls back to ephemeral value
6 Critical Flows Mappedβ
The audit identified and mapped 6 critical end-to-end flows with their complete service chains and Kafka topic dependencies:
- User Registration & Login (P0) β 7 services, 3 Kafka topics
- Vulnerability Scanning (P0) β 5+ services, 3 Kafka topic patterns
- Asset Management (P0) β 5 services, 2 Kafka topics
- Payment & Subscription (P0) β 6 services, 3 Kafka topic patterns
- Compliance & Audit (P1) β 5 services
- Agent Telemetry (P2) β 4 services
Kafka Event Contract Freezeβ
All 14 Kafka topic patterns are now frozen at v1.0 for MVP1. Schema versioning rules are in place:
- Every message must include
schema-version: "1.0"header - Only additive changes allowed (new fields only)
- Breaking changes require new topic versions
Remediation Timelineβ
| Day | Focus | Effort |
|---|---|---|
| Day 1 | Auth + Scan Flows | 8h |
| Day 2 | Asset + Payment Flows | 8h |
| Day 3 | Cross-Cutting + P1 Critical | 8h |
| Day 4 | Validation + Go/No-Go | 4h |
Total: ~28h (3.5 working days)
Go/No-Go Criteriaβ
12 criteria must ALL be met before launch, including:
- All P0 gaps remediated
- All 4 E2E flow smoke tests pass
- No hardcoded secrets in any deployed service
- TLS enforced on all external endpoints
- Kafka SSL + Redis TLS enabled for all services
Full Documentationβ
Read the complete compliance matrix with all 38 service ratings, flow diagrams, and remediation details in the Compliance Matrix documentation.
This audit was conducted by the Cert-IX Security Engineering team as part of the MVP1 launch readiness process.