Security redteam hardening
GitCaster now publishes the local security redteam scripts, beta safety gate, audit rehearsal notes, and public hardening evidence as a public-alpha developer layer. The release proves deterministic local guardrails, not audit completion or production readiness.
Public artifacts
These files are safe contribution surfaces for local security hardening.
Security beta gate
Deterministic local gate for secret scans, fake live claims, hosted dependency claims, token/domain freezes, signed mutation blockers, and object-store honesty.
scripts/security/run-beta-gate.cjsRedteam suite
Local redteam runner for crypto invariants, replay attacks, capability abuse, and deployment proof abuse.
scripts/security/redteam/run-redteam-suite.cjsCrypto audit rehearsal
Contributor-facing rehearsal notes that do not replace an external security audit.
docs/security/crypto-audit-rehearsal.mdPublic hardening evidence
Public-alpha evidence tying scripts, docs, blockers, and non-claims together.
launch/evidence/security-redteam-public-hardening-source.jsonDeterministic coverage
The checker writes evidence for local guardrails and rejected abuse cases.
Secret scan
Public source is scanned for private keys, credential URLs, bearer tokens, and secret-like assignments.
fixture_onlyFake-live claim blocking
Unsupported QStorage, CasterCloud, .caster, production, public-node, and token utility claims are rejected or downgraded.
fixture_onlyHosted dependency blocking
Hosted service references cannot be described as production, canonical, primary, deployed, or live requirements.
fixture_onlyCapability abuse
Mutation attempts without the needed signer, capability, or node endpoint stay blocked.
fixture_onlyDeployment proof abuse
Placeholder, hosted, dry-run, and fake live proofs cannot become production evidence.
fixture_onlyEvidence integrity
Evidence files must not carry secrets or production approval flags without proof.
fixture_onlyStill blocked
These claims require external proof and remain outside this public-alpha release.
External security audit completion
No public release claim is made for this item in the current evidence set.
blocked_externalProduction security readiness
No public release claim is made for this item in the current evidence set.
blocked_externalManaged infrastructure safety
No public release claim is made for this item in the current evidence set.
blocked_externalPublic node federation safety
No public release claim is made for this item in the current evidence set.
blocked_externalQStorage or CasterCloud live deployment safety
No public release claim is made for this item in the current evidence set.
blocked_externalAutomated custody or billing safety
No public release claim is made for this item in the current evidence set.
blocked_externalVerification command
The public-alpha checker runs the redteam suite, PR-27 rehearsal gate, and PR-18 beta safety gate.
pnpm run security-redteam:check