Layered Defence Summary
Browser
│ CSP · HSTS preload · SRI on third-party
▼
Netlify edge (Deno)
│ auth-gate · nim-proxy · ws-proxy · per-IP token bucket
▼
AWS Lambda Function URL
│ ZeroTrustShield: mTLS-or-JWT · Redis rate limit · security headers
▼
FastAPI app
│ Pydantic strict schemas · RLS-aware Supabase client · structlog audit
▼
Supabase (Postgres)
│ RLS deny-by-default · append-only triggers · pgaudit
▼
Polygon PoS
immutable hash anchors
Copy
Key Rotation
| Asset | Rotation cadence | Tooling |
|---|
| JWT signing key | 90 days | JWKS endpoint + cache TTL 1 h |
| NIM API key | 30 days | Doppler → Netlify env injection |
| Polygon hot-wallet | 180 days | hardware-backed signer migration |
| Supabase service role | 90 days | rotated via Doppler with zero-downtime overlap |
| mTLS device certs | 365 days | per-node CSR through ACME-compatible CA |
Incident Severity Matrix
| Sev | Examples | First response | Public disclosure |
|---|
| SEV-1 | Audit chain break · live data tampering · key compromise | Page on-call within 5 min · disable affected component · CAP Cancel if forecast affected | Within 24 h |
| SEV-2 | Sustained 5xx > 10 min · auth bypass | Page on-call within 15 min | Within 72 h |
| SEV-3 | Degraded performance · single-source outage | Investigate next business day | In monthly status |
| SEV-4 | Cosmetic / non-impacting | Backlog | None |
Pen-Test Cadence
- External red-team: annually, contracted to a CERT-In empanelled firm.
- Internal grey-box: quarterly, executed by SRE rotation.
- Continuous: Bandit + Safety + Trivy + ZAP baseline (weekly cron).
- Bug-bounty: scoped to staging origin (
snow-ir-staging.netlify.app)
with reward tiers aligned to severity matrix above.