Org-wide Security Mapping Initiative (Apps, CI/CD, Identity, Data, Runtime)

[chitcommit]

Objective

Run a single, evidence-based security mapping program across the ecosystem (not limited to 1Password Connect) to establish risk visibility, ownership, and a prioritized remediation backlog.

Scope

• Orgs/repos: chittyos, chittyapps, chittyfoundation, chittycorp, furnished-condos
• Layers:
  • Identity and secrets (1Password Connect/service accounts, token flows, rotation paths)
  • CI/CD controls (branch protection, required checks, SCA, secret scanning, provenance)
  • Application and API authz/authn boundaries (MCP gateways, service-to-service trust)
  • Data stores and custody (Neon, D1, KV, R2, backups, encryption, retention)
  • Runtime/network exposure (Cloudflare routes, workers, containers, ingress, egress)
  • Observability and incident response readiness

Deliverables

1. Security topology map (systems, trust boundaries, identity edges)
2. Control matrix by repo/service (implemented vs missing)
3. Risk register with severity, blast radius, owner, and due date
4. Prioritized remediation plan (P0/P1/P2) with implementation tickets
5. Verification checklist and recurring review cadence

Workstreams

• WS1 Asset inventory and dependency graph
• WS2 Identity/secrets mapping (human + machine credentials)
• WS3 CI/CD and SDLC control mapping
• WS4 Runtime and data-plane hardening map
• WS5 Threat scenarios + abuse path validation
• WS6 Remediation execution and closure evidence

Acceptance Criteria

• 100% repo inventory with owner + criticality classification
• Token/secret flows documented for all production services
• CI security gates defined and enforced for all active repos
• P0 findings have owner + due date + validation criteria
• Leadership-ready summary with residual risk statement

Initial P0 Focus

• Service-token strategy (non-interactive, least-privilege, rotation tested)
• Secrets exposure prevention (history scan + CI secret gates)
• Durable auth boundaries for MCP/service ingress
• Baseline branch protection and required checks across orgs

Notes

This issue is the tracking epic. Follow-up implementation issues should link back here and include concrete evidence (logs/screenshots/report artifacts).