Security Posture Checklist

When to use: Before promoting releases to shared staging or production environments.

Prerequisites:

• Access to the target environment's configuration and Kubernetes cluster
• Ability to run security integration tests (go test -tags 'security integration')
• Familiarity with Cruvero's security configuration variables

Use this checklist before promoting releases to shared staging or production.

Runtime Isolation

• CRUVERO_SANDBOX_MODE set to gvisor or nsjail (not process).
• Sandbox runtime binaries available on hosts (runsc and/or nsjail).
• Host integration tests executed:
  • CRUVERO_RUN_HOST_SANDBOX_TESTS=true go test -tags 'security integration' ./internal/security -run Host

Policy Enforcement

• CRUVERO_NETWORK_POLICY_ENABLED=true
• CRUVERO_NETWORK_DEFAULT_POLICY=deny
• Registry network_policy definitions validated for all active registries.
• MCP strict endpoint pinning enabled (CRUVERO_MCP_STRICT_ENDPOINTS=true).

Prompt and Output Controls

• CRUVERO_INPUT_SANITIZATION=true
• CRUVERO_INPUT_SANITIZATION_MODE=block (or approved alternative)
• CRUVERO_OUTPUT_PII_REDACTION=true
• CRUVERO_OUTPUT_CREDENTIAL_SCAN=true

Secret Handling

• Vault configured (CRUVERO_VAULT_ADDR, token/OIDC workflow).
• No long-lived provider credentials in plain environment variables for production workloads.
• Audit query spot-check confirms secret redaction is effective.

Monitoring and Alerting

• Prometheus/Loki rules from deploy/monitoring/ applied.
• Alerts routed for:
  • network_policy_denied
  • output_filter_blocked
  • injection_detected_total
  • audit backpressure
  • failover churn
• Security alerts dashboard (/security.html) reviewed for active tenants.

Related Docs

• Security Incident Runbook
• Immune Response Runbook
• Configuration and Environment