Skip to main content

V1 Security Readiness Checklist

Generated: 2026-06-26

Purpose

This checklist defines the security controls and validations required to claim V1 security readiness. It is a tracking document, not an implementation. Items are V1_BLOCKER unless otherwise noted.

Checklist

#ItemCategoryOwnerStatusEvidence
1Provider signature verification (Stripe)provider securityHermes✅ DONEstripe-signature-v1 authProfile
2Provider signature verification (Shopify HMAC)provider securityHermes❌ V1_BLOCKER (SH-01)
3Provider signature verification (Twilio)provider securityHermes❌ V1_BLOCKER (TW-01)
4Live E2E validation (GitHub)provider integrationHermes + DocsAI❌ V1_BLOCKER (GH-01)
5Live E2E validation (Shopify)provider integrationHermes + DocsAI❌ V1_BLOCKER (SH-02)
6Live E2E validation (Twilio)provider integrationHermes + DocsAI❌ V1_BLOCKER (TW-02)
7Twilio form-encoding runtime verificationprovider securityHermes❌ V1_BLOCKER (TW-03)
8Stripe golden test suite inclusionprovider validationHermes❌ V1_BLOCKER (ST-02)
9Local/password auth 2FA enrollmentauthenticationHermes❌ V1_BLOCKER (pending R22)
10Local/password auth 2FA verification (invalid OTP rejected)authenticationHermes❌ V1_BLOCKER (pending R22)
11Local/password auth 2FA verification (valid OTP accepted)authenticationHermes❌ V1_BLOCKER (pending R22)
12Route matrix accessible after 2FAauthenticationHermes❌ V1_BLOCKER (pending R22)
13/me endpoint succeeds after 2FAauthenticationHermes❌ V1_BLOCKER (pending R22)
142FA audit/security eventsobservabilityHermes❌ V1_BLOCKER (pending R22)
152FA recovery/reset pathauthenticationHermes❌ V1_BLOCKER (pending R22)
16OIDC MFA delegation to IdP (when configured)authenticationHermes🔶 V1_PARTIAL (requires docs)
17Acceptance gate contract-awareinfrastructureHermes🔶 PARTIALR21 gate
18Authenticated routes fail 403 TWO_FACTOR_REQUIREDauthenticationHermes🔶 PARTIALR21 gate

2FA/MFA Notes

  • Local/password auth: App-level 2FA (TOTP) is a V1 prerequisite. Enrollment, OTP verification (valid + invalid), route acceptance, audit events, and recovery path are all required.
  • Google/OIDC auth: May rely on identity provider MFA for V1 when configured. This is V1_PARTIAL — the IdP MFA configuration must be documented. If app-level MFA is later required for OIDC as well, that becomes a future hardening item.
  • Status: 2FA/MFA is V1_BLOCKER until Hermes R22 proves end-to-end enrollment, verification, and route acceptance after 2FA.

Legend

StatusMeaning
✅ DONEImplemented and evidenced
❌ V1_BLOCKERMust be resolved before V1 claim
🔶 V1_PARTIALWorks for some configurations or requires documentation
🔶 PARTIALImplemented for some paths