Skip to main content

R5 2FA/MFA V1 Security Contract Alignment

Task: DOCSAI_P0_V1_2FA_MFA_SECURITY_CONTRACT_ALIGNMENT_R5
Generated: 2026-06-26
Generator: DocsAI
Docs commit: a2ad6bccdc83b207c4e4964bd592c30e2666a4d4 (origin/main at start of R5)

Scope

Aligned documentation, security contracts, Trust Scenario Registry, and readiness surfaces to treat 2FA/MFA as a V1 security prerequisite. No runtime 2FA implementation — docs/evidence alignment only.

Surfaces Updated

SurfaceActionStatus
docs/security/security-validation-v1-cutline.mdAdded 2FA row to V1 Required table; added rule 6✅ UPDATED
docs/security/trust-scenario-registry.mdAdded 8 AUTH-2FA-* scenarios (V1_BLOCKER); updated summary✅ UPDATED
docs/security/security-validation-suite.mdAdded 2FA/MFA section to Authentication scenarios✅ UPDATED
docs/security/v1-security-readiness-checklist.mdCreated with 18 items including 2FA✅ CREATED
docs/security/index.mdAdded 2FA/MFA to capabilities table✅ UPDATED
docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/2fa_v1_security_contract_alignment.jsonEvidence JSON✅ CREATED
docs/80-EVIDENCE/docsai/r5-2fa-v1-security-contract/2fa_v1_security_contract_alignment.mdEvidence MD✅ CREATED
docs/80-EVIDENCE/docsai/r2-audit/provider_package_v1_gap_audit.jsonAdded 2FA to global V1 blockers✅ UPDATED
docs/80-EVIDENCE/docsai/r2-audit/provider_package_v1_gap_audit.mdAdded R5 2FA section✅ UPDATED
docs/llms.txtAdded 2FA prerequisite note✅ UPDATED
static/llms.txtAdded 2FA prerequisite note✅ UPDATED
docs/ai/security-posture.mdAdded Local auth 2FA to highlights✅ UPDATED

Scenarios Added

IDTitleStatusOwner
AUTH-2FA-01Local login returns TWO_FACTOR_REQUIREDV1_BLOCKERHermes
AUTH-2FA-02TOTP enrollment or sandbox-safe seedV1_BLOCKERHermes
AUTH-2FA-03Invalid OTP rejectedV1_BLOCKERHermes
AUTH-2FA-04Valid OTP completes authenticationV1_BLOCKERHermes
AUTH-2FA-05/me succeeds after 2FAV1_BLOCKERHermes
AUTH-2FA-06Authenticated route matrix after 2FAV1_BLOCKERHermes
AUTH-2FA-072FA audit/security eventsV1_BLOCKERHermes
AUTH-2FA-08Recovery/reset pathV1_BLOCKERHermes

V1 Blocker Statement

2FA/MFA is a V1 blocker until Hermes R22 proves end-to-end enrollment/verification and route acceptance after 2FA.

Required Hermes R22 Evidence

  1. TOTP enrollment endpoint works (seed provisioned)
  2. Invalid OTP returns 401
  3. Valid OTP returns 200/session
  4. /me succeeds after 2FA
  5. Routes accessible after 2FA (full matrix)
  6. Audit events for 2FA lifecycle
  7. Recovery/reset path documented

Current Status

  • DocsAI (R5): ✅ PASS — all security contract surfaces aligned
  • Hermes (R22): ❌ PENDING — runtime evidence required
  • 2FA claim: ❌ Do NOT claim until R22 evidence lands

Claim Safety

Scan completed: 590 matches, 0 violations from R5 changes.