Live Security

0x0 Live security defaults are source-owned and release-gated. The policy lives

at frameworks/live/security-policy.tsv.

Run:

make live-security-check

Production Controls

The Live security gate validates:

• Content Security Policy that denies inline scripts and styles;
• SHA-256 asset integrity for generated client and style assets;
• XSS checks for template output, event names, and attribute values;
• WebSocket and form origin allowlists;
• host header allowlists;
• request body limits;
• fail-closed upload scan hooks;
• per-session, per-IP, and per-scope rate limits;
• capability and scope denial before runtime work;
• session secret rotation with active and previous keys;
• explicit key-management ownership and custody.

Negative Tests

The bounded gate rejects unsafe inline assets, cross-origin socket attempts,

oversized request bodies, unauthorized scopes, and incomplete policy rows. The

stable diagnostics are documented in docs/diagnostics.html.

Operator Notes

Production deployments must configure endpoint hosts, allowed origins, session

secret key ids, key custody, and rotation windows. Development may use local

origins, but it must still keep inline assets denied and generated asset

integrity present.