Milestone 2 evidence index¶

This directory contains the public-facing evidence index for Milestone 2. The canonical summary is PHASE2-SUMMARY.md; timestamped run folders preserve raw local validation outputs and Playwright screenshots.

Artifacts¶

`PHASE2-SUMMARY.md`¶

Purpose: Completion summary for Milestone 2 source implementation and local end-to-end acceptance.

Coverage: - low-side Pulp sync/publish validation, - low-side client package update validation, - signed transfer bundle build/verify/receive, - true Pulp-to-Pulp export/import between isolated local instances, - high-side publish and client install proof, - platform security posture and residual-risk notes.

`phase2-airgap/20260425T160539Z/`¶

Purpose: Timestamped local proof of the Phase 2 air-gap workflow.

Key files: - report.md — operator-readable test report - screenshots/ — Playwright screenshots for validation summary, high-side Pulp status, client proof, and diagrams - raw/ — curated command/API outputs from sync, export, receive, import, publish, and client installation

The run used a small fixture package (airgap-patch-demo version 1.0.1) so the result could be validated by a fresh Ubuntu client without downloading a full upstream mirror.

`phase2-platform-security-checklist.md`¶

Purpose: Repeatable validation command set for Azure platform security controls.

Coverage: - Low-side: NSG rules, Key Vault RBAC/config, Storage security, Redis security, PostgreSQL private/TLS posture - High-side: Public network access audit, VM managed identity RBAC

Compliance mapping: NIST SP 800-53 Rev 5, Azure Security Benchmark v3, DoD IL5+ (DISA STIG)

Usage:

export RG_LOW="<low-side-rg>"
export RG_HIGH="<high-side-rg>"
export SUBSCRIPTION="<sub-id>"
export NAME_PREFIX="<deployment-prefix>"
# Run validation commands from checklist

`phase2-high-side-public-access-audit.md`¶

Purpose: Risk-prioritized audit of high-side public network access posture.

Findings: - P0 (Critical): Redis and Key Vault defaulted to public access (high sensitivity data) — remediated in infra/high-side/main.bicep - P1 (Medium): ACR and Service Bus public access — accepted M2 risk with documentation - P2 (Low): Storage public access with subnet ACLs — sufficient for M2

Recommended remediation:

// infra/high-side/main.bicep
module cache '../low-side/cache.bicep' = {
  params: { publicNetworkAccess: 'Disabled' }
}
module keyvault '../low-side/keyvault.bicep' = {
  params: { networkDefaultAction: 'Deny' }
}

`collect-high-side-public-access-evidence.sh`¶

Purpose: Automated evidence collection for high-side public network access validation.

Usage:

export RG_HIGH="<high-side-rg>"
bash docs/evidence/collect-high-side-public-access-evidence.sh

Output: artifacts/evidence/high-side-public-access/YYYYMMDD/*.json (ACR, Service Bus, Redis, Storage, Key Vault, VM identity RBAC)

Public repository review¶

Evidence committed under this directory should be source-readable and safe for public consumption:

do not commit .env files, private keys, access tokens, or subscription-specific secrets,
prefer summarized JSON/log outputs over full provider dumps,
keep generated screenshots and SVG diagrams human-readable,
link timestamped run evidence from PHASE2-SUMMARY.md so one-off validation pages do not become the primary documentation path,
preserve enough raw evidence for repeatability, but remove exploratory probes that are not used by the final report.

Evidence Collection Workflow¶

Pre-deployment: Review checklists and expected secure values
Post-deployment: Run validation commands and evidence collection scripts
Compare: Outputs against expected secure values from checklists
Risk register: Document any deviations with mitigation path
Operational readiness: Store evidence in timestamped directories for audit trail

Validation Frequency¶

Initial deployment: Full checklist
Post-change: Affected sections after infrastructure updates
Periodic audit: Monthly for production environments
Pre-release: Full checklist before milestone gate reviews

#26 — M2 Network and Azure platform hardening audit (Epic)
#34 — Audit and evidence high-side public network access exceptions
#35 — Capture RBAC, NSG, storage, Redis, and PostgreSQL security evidence
#11 — Produce operational readiness evidence and reporting (M2)

Compliance Context¶

All controls support operational readiness evidence for Milestone 2 security audit and compliance requirements:

NIST SP 800-53 Rev 5: AC-3 (Access Enforcement), AC-4 (Information Flow Enforcement), SC-7 (Boundary Protection), SC-8 (Transmission Confidentiality), SC-28 (Protection at Rest)
Azure Security Benchmark v3: NS-1 (Network Segmentation), NS-2 (Secure Cloud Services), DP-3 (Encrypt Data in Transit), DP-4 (Encrypt Data at Rest), PA-7 (Privileged Access)
DoD IL5+ (DISA STIG): Network isolation, TLS enforcement, RBAC least privilege, audit logging

Created: 2026-04-25
Status: Milestone 2 source implementation and local E2E acceptance complete; cloud deployment evidence remains environment-specific.

Milestone 2 evidence index¶

Artifacts¶

PHASE2-SUMMARY.md¶

phase2-airgap/20260425T160539Z/¶

phase2-platform-security-checklist.md¶

phase2-high-side-public-access-audit.md¶

collect-high-side-public-access-evidence.sh¶