R5 2FA/MFA V1 Security Contract Alignment
Task: DOCSAI_P0_V1_2FA_MFA_SECURITY_CONTRACT_ALIGNMENT_R5
Generated: 2026-06-26
Generator: DocsAI
Docs commit: a2ad6bccdc83b207c4e4964bd592c30e2666a4d4 (origin/main at start of R5)
Scope
Aligned documentation, security contracts, Trust Scenario Registry, and readiness surfaces to treat 2FA/MFA as a V1 security prerequisite. No runtime 2FA implementation — docs/evidence alignment only.
Surfaces Updated
| Surface | Action | Status |
|---|---|---|
docs/security/security-validation-v1-cutline.md | Added 2FA row to V1 Required table; added rule 6 | ✅ UPDATED |
docs/security/trust-scenario-registry.md | Added 8 AUTH-2FA-* scenarios (V1_BLOCKER); updated summary | ✅ UPDATED |
docs/security/security-validation-suite.md | Added 2FA/MFA section to Authentication scenarios | ✅ UPDATED |
docs/security/v1-security-readiness-checklist.md | Created with 18 items including 2FA | ✅ CREATED |
docs/security/index.md | Added 2FA/MFA to capabilities table | ✅ UPDATED |
docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/2fa_v1_security_contract_alignment.json | Evidence JSON | ✅ CREATED |
docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/2fa_v1_security_contract_alignment.md | Evidence MD | ✅ CREATED |
docs/80-EVIDENCE/docsai/r2-audit/provider_package_v1_gap_audit.json | Added 2FA to global V1 blockers | ✅ UPDATED |
docs/80-EVIDENCE/docsai/r2-audit/provider_package_v1_gap_audit.md | Added R5 2FA section | ✅ UPDATED |
docs/llms.txt | Added 2FA prerequisite note | ✅ UPDATED |
static/llms.txt | Added 2FA prerequisite note | ✅ UPDATED |
docs/ai/security-posture.md | Added Local auth 2FA to highlights | ✅ UPDATED |
Scenarios Added
| ID | Title | Status | Owner |
|---|---|---|---|
| AUTH-2FA-01 | Local login returns TWO_FACTOR_REQUIRED | V1_BLOCKER | Hermes |
| AUTH-2FA-02 | TOTP enrollment or sandbox-safe seed | V1_BLOCKER | Hermes |
| AUTH-2FA-03 | Invalid OTP rejected | V1_BLOCKER | Hermes |
| AUTH-2FA-04 | Valid OTP completes authentication | V1_BLOCKER | Hermes |
| AUTH-2FA-05 | /me succeeds after 2FA | V1_BLOCKER | Hermes |
| AUTH-2FA-06 | Authenticated route matrix after 2FA | V1_BLOCKER | Hermes |
| AUTH-2FA-07 | 2FA audit/security events | V1_BLOCKER | Hermes |
| AUTH-2FA-08 | Recovery/reset path | V1_BLOCKER | Hermes |
V1 Blocker Statement
2FA/MFA is a V1 blocker until Hermes R22 proves end-to-end enrollment/verification and route acceptance after 2FA.
Required Hermes R22 Evidence
- TOTP enrollment endpoint works (seed provisioned)
- Invalid OTP returns 401
- Valid OTP returns 200/session
- /me succeeds after 2FA
- Routes accessible after 2FA (full matrix)
- Audit events for 2FA lifecycle
- Recovery/reset path documented
Current Status
- DocsAI (R5): ✅ PASS — all security contract surfaces aligned
- Hermes (R22): ❌ PENDING — runtime evidence required
- 2FA claim: ❌ Do NOT claim until R22 evidence lands
Claim Safety
Scan completed: 590 matches, 0 violations from R5 changes.