Security Architecture and Implementation Guide¶
Comprehensive security documentation for the AI-Augmented Security Operations Center (AI-SOC) platform. This guide establishes defense-in-depth security controls, authentication mechanisms, and operational security procedures for production deployments.
Table of Contents¶
- Security Architecture Overview
- Authentication and Authorization
- Rate Limiting and Traffic Control
- Input Validation and Sanitization
- HTTP Security Headers
- Secrets Management
- TLS and Certificate Management
- Cross-Origin Resource Sharing (CORS)
- Security Testing and Validation
- Incident Response Procedures
- Regulatory Compliance
- Production Deployment Checklist
Security Architecture Overview¶
AI-SOC implements a comprehensive defense-in-depth security architecture with eight distinct protection layers. Each layer provides independent security controls, ensuring that compromise of any single layer does not result in total system failure.
Multi-Layer Security Model¶
┌─────────────────────────────────────────────────────────────┐
│ INTERNET / USERS │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 1: Transport Layer Security (TLS 1.3) │
│ - Minimum TLS version enforcement │
│ - Strong cipher suite selection │
│ - Perfect Forward Secrecy (PFS) │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 2: HTTP Security Headers │
│ - Content Security Policy (CSP) │
│ - HTTP Strict Transport Security (HSTS) │
│ - X-Frame-Options, X-Content-Type-Options │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 3: Cross-Origin Request Validation │
│ - Origin header validation │
│ - Credential verification │
│ - Method and header restrictions │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 4: Rate Limiting and Traffic Shaping │
│ - Per-IP request limits │
│ - Per-API-key quotas │
│ - Sliding window algorithm │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 5: Authentication │
│ - JWT token validation (RFC 7519) │
│ - API key cryptographic verification │
│ - Session management │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 6: Authorization (Role-Based Access Control) │
│ - Scope-based permissions │
│ - Endpoint-level access control │
│ - Least privilege enforcement │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 7: Input Validation │
│ - SQL injection prevention (OWASP A03) │
│ - Command injection detection │
│ - LLM prompt injection prevention │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 8: Output Sanitization │
│ - Personally Identifiable Information (PII) redaction │
│ - Cross-site scripting (XSS) prevention │
│ - Sensitive data masking │
└───────────────────────┬─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ APPLICATION BUSINESS LOGIC │
└─────────────────────────────────────────────────────────────┘
Security Design Principles¶
- Defense in Depth: Multiple independent security layers prevent single points of failure
- Least Privilege: Services and users granted minimum necessary permissions
- Fail Secure: System defaults to secure state upon error conditions
- Complete Mediation: Every access request validated against authorization policy
- Separation of Duties: Critical operations require multiple independent approvals
Authentication and Authorization¶
The platform implements industry-standard authentication mechanisms based on JSON Web Tokens (JWT, RFC 7519) and API key cryptography, supporting both interactive user sessions and service-to-service authentication.
JSON Web Token (JWT) Authentication¶
JWT provides stateless authentication through cryptographically signed tokens containing user identity and authorization claims.
Token Structure and Claims¶
Standard JWT payload conforming to RFC 7519:
{
"sub": "user_id",
"scopes": ["read", "write", "admin"],
"exp": 1698765432,
"iat": 1698761832,
"type": "access"
}
Required Claims:
- sub (Subject): User or service identifier
- scopes (Custom): Authorization scopes for RBAC
- exp (Expiration Time): Token expiration timestamp (Unix epoch)
- iat (Issued At): Token issuance timestamp
- type (Custom): Token type differentiation (access vs refresh)
Authentication Methods¶
Method 1: API Key Authentication (Service-to-Service)
Cryptographically secure API keys with prefix identification:
curl -X POST https://api.ai-soc.example.com/analyze \
-H "Authorization: Bearer aisoc_<32-byte-random-key>" \
-H "Content-Type: application/json" \
-d @security_alert.json
Method 2: JWT Token Flow (Interactive Sessions)
OAuth2-compatible token exchange:
# Step 1: Obtain access and refresh tokens
curl -X POST https://api.ai-soc.example.com/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=analyst&password=<secure-password>"
# Response (RFC 6749 compliant):
{
"access_token": "eyJhbGc...",
"refresh_token": "eyJhbGc...",
"token_type": "bearer",
"expires_in": 1800
}
# Step 2: Authenticated API request
curl -X POST https://api.ai-soc.example.com/analyze \
-H "Authorization: Bearer eyJhbGc..." \
-H "Content-Type: application/json" \
-d @security_alert.json
API Key Management¶
Secure Key Generation¶
Production-grade cryptographic key generation:
# Generate credentials with CSPRNG (Cryptographically Secure PRNG)
python scripts/generate_secure_credentials.py
# Programmatic key generation
from auth import init_auth_manager
auth = init_auth_manager(jwt_secret)
api_key = auth.generate_api_key(
user_id="ml_inference_service",
scopes=["read", "write"],
expires_days=365
)
Role-Based Access Control (RBAC) Scopes¶
| Scope | Permitted Operations | Use Case |
|---|---|---|
read |
HTTP GET operations only | Monitoring dashboards, reporting |
write |
HTTP POST, PUT operations | Alert ingestion, analysis requests |
admin |
All operations + administrative functions | System administration, configuration |
Token Lifecycle Management¶
Token Expiration¶
Access tokens expire after 30 minutes to limit attack surface. Refresh tokens valid for 7 days.
Token Refresh Protocol¶
Obtain new access token without re-authentication:
curl -X POST https://api.ai-soc.example.com/auth/refresh \
-H "Authorization: Bearer <refresh-token>"
Rate Limiting and Traffic Control¶
Comprehensive rate limiting prevents abuse, ensures fair resource allocation, and protects against denial-of-service attacks.
Rate Limiting Profiles¶
Three configurable profiles balancing security and usability:
| Profile | Default Limit | Analyze Endpoint | Batch Endpoint | RAG Query Endpoint |
|---|---|---|---|---|
| Strict | 30 req/min | 10 req/min | 5 req/min | 20 req/min |
| Moderate | 100 req/min | 30 req/min | 10 req/min | 50 req/min |
| Permissive | 300 req/min | 100 req/min | 50 req/min | 150 req/min |
Configuration¶
Environment-based profile selection:
Rate Limit Response Headers¶
Compliant with RFC 6585 (Additional HTTP Status Codes):
429 Too Many Requests Response¶
Standard HTTP 429 response with retry guidance:
{
"error": "Rate limit exceeded",
"detail": "Request quota exhausted. Retry after 45 seconds.",
"retry_after": 45
}
Custom Rate Limit Configuration¶
Programmatic rate limit definition:
from rate_limit import create_rate_limit_middleware
custom_limits = {
"default_limit": 100,
"default_window": 60,
"endpoint_limits": {
"/analyze": (20, 60), # 20 requests per 60 seconds
"/critical": (5, 60), # 5 requests per 60 seconds
"/batch": (2, 300) # 2 requests per 5 minutes
}
}
middleware = create_rate_limit_middleware(app, custom_limits=custom_limits)
Input Validation and Sanitization¶
Multi-layer input validation prevents injection attacks (SQL, command, LLM prompt injection) and ensures data integrity.
SQL Injection Prevention (OWASP A03)¶
Automatic pattern detection and blocking:
from security import validate_input
# Blocked attack vectors:
# - UNION SELECT attacks
# - DROP TABLE statements
# - Comment-based injection (--,#,/**/)
# - Semicolon-based multi-statement injection
# - Blind SQL injection patterns
is_valid, error = validate_input(user_input)
if not is_valid:
raise HTTPException(400, detail=error)
Command Injection Prevention¶
Shell command pattern detection:
# Blocked patterns (regex-based):
# - Command substitution: $(command), `command`
# - Command chaining: ; command, | command, & command
# - Path traversal: ../../../etc/passwd
# - Null byte injection: \x00
LLM Prompt Injection Detection¶
Advanced pattern matching for Large Language Model security:
from security import detect_prompt_injection
is_injection, attack_type = detect_prompt_injection(prompt)
# Detection patterns:
# - System prompt override attempts ("ignore previous instructions")
# - Role manipulation ("you are now DAN")
# - Jailbreak techniques (established attack taxonomies)
# - Instruction injection ("new instructions:")
# - Output format manipulation
Cross-Site Scripting (XSS) Prevention¶
HTML/JavaScript injection detection:
from security import detect_xss_patterns
is_xss, pattern_type = detect_xss_patterns(text)
# Detected attack vectors:
# - <script> tag injection
# - javascript: protocol handlers
# - Event handler attributes (onclick, onerror, onload)
# - HTML element injection (iframe, embed, object)
Data Sanitization and PII Redaction¶
Automatic sensitive data masking for logs and outputs:
from security import sanitize_log
log = "Authentication successful: password=SecurePass123! api_key=sk_abc123"
sanitized = sanitize_log(log)
# Output: "Authentication successful: password=***REDACTED*** api_key=***REDACTED***"
HTTP Security Headers¶
Comprehensive HTTP security headers implement browser-based security controls per OWASP Security Headers Project recommendations.
Implemented Security Headers¶
All HTTP responses include the following security headers:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.trusted.com
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Content Security Policy (CSP)¶
CSP prevents XSS attacks and code injection through declarative resource loading restrictions:
from security import SecurityHeadersMiddleware
custom_csp = (
"default-src 'self'; "
"script-src 'self' https://trusted-cdn.com; "
"img-src 'self' data: https:; "
"connect-src 'self' https://api.trusted.com; "
"frame-ancestors 'none'"
)
app.add_middleware(SecurityHeadersMiddleware, csp_policy=custom_csp)
HTTP Strict Transport Security (HSTS)¶
HSTS enforces HTTPS connections for 1 year with subdomain inclusion:
Configuration: Submit domain to HSTS preload list at https://hstspreload.org/
Secrets Management¶
Comprehensive secrets management prevents credential exposure and enables secure rotation procedures.
Production Secrets Policy¶
Mandatory Requirements: 1. No hardcoded secrets in source code 2. No secrets in version control (enforce with git-secrets) 3. No secrets in environment variables on multi-tenant systems 4. Secrets encrypted at rest 5. Access logging for all secret retrievals
Docker Secrets (Production Deployment)¶
Docker Swarm secrets provide secure distribution:
# Create secrets from stdin (prevents shell history exposure)
echo "your-secret-value" | docker secret create jwt_secret_key -
echo "$(openssl rand -base64 32)" | docker secret create db_password -
# Reference in docker-compose.yml
services:
alert-triage:
secrets:
- jwt_secret_key
- db_password
environment:
- JWT_SECRET_FILE=/run/secrets/jwt_secret_key
- DB_PASSWORD_FILE=/run/secrets/db_password
secrets:
jwt_secret_key:
external: true
db_password:
external: true
Environment Variables (Development Only)¶
Development environment variable template:
# In .env.production
AISOC_JWT_SECRET_KEY=<64-character-random-string>
AISOC_DB_PASSWORD=<32-character-random-string>
AISOC_API_KEY_ADMIN=aisoc_<32-character-random-key>
Secrets Manager Interface¶
Abstracted secrets access for production flexibility:
from secrets_manager import init_secrets_manager
# Initialize at application startup
secrets = init_secrets_manager()
# Retrieve secrets with automatic rotation
jwt_secret = secrets.get_jwt_secret()
db_url = secrets.get_database_url()
redis_url = secrets.get_redis_url()
Credential Generation¶
Cryptographically secure credential generation:
# Generate production credentials
python scripts/generate_secure_credentials.py
# Outputs:
# - .env.production with all required credentials
# - Passwords: 32+ characters, high entropy
# - API keys: aisoc_ prefix + 32-byte random
# - JWT secret: 64-byte random for HS256
Credential Rotation Procedures¶
Rotation Schedule: Every 90 days minimum (industry best practice)
# Step 1: Generate new credentials
python scripts/generate_secure_credentials.py
# Step 2: Create new secret version
docker secret create jwt_secret_key_v2 <(echo "new-secret-value")
# Step 3: Update service with zero downtime
docker service update \
--secret-rm jwt_secret_key \
--secret-add source=jwt_secret_key_v2,target=jwt_secret_key \
ai-soc_alert-triage
# Step 4: Remove old secret after validation
docker secret rm jwt_secret_key
TLS and Certificate Management¶
Transport Layer Security (TLS) configuration follows industry best practices for encryption strength and protocol security.
TLS Configuration Standards¶
Minimum Requirements: - TLS Version: 1.3 minimum (1.2 acceptable with strong ciphers) - Cipher Suites: AES-256-GCM, ChaCha20-Poly1305 preferred - Perfect Forward Secrecy (PFS): Required - Certificate Key Size: RSA 4096-bit or ECDSA P-384
Certificate Acquisition¶
Option 1: Let's Encrypt (Production Recommended)
Automated certificate issuance with 90-day validity:
docker run -it --rm \
-v /etc/letsencrypt:/etc/letsencrypt \
-v /var/lib/letsencrypt:/var/lib/letsencrypt \
certbot/certbot certonly \
--standalone \
--agree-tos \
--email security@example.com \
-d api.ai-soc.example.com \
-d dashboard.ai-soc.example.com
Option 2: Self-Signed Certificates (Development Only)
Generate self-signed certificate for testing:
openssl req -x509 -nodes -days 365 \
-newkey rsa:4096 \
-keyout /etc/ssl/private/ai-soc-selfsigned.key \
-out /etc/ssl/certs/ai-soc-selfsigned.crt \
-subj "/C=US/ST=State/L=City/O=Organization/OU=Security/CN=localhost"
HTTPS Enforcement¶
Force all HTTP traffic to HTTPS:
Automated Certificate Renewal¶
Cron-based automatic renewal:
# /etc/cron.d/certbot-renewal
0 0 1 * * certbot renew --quiet --post-hook "docker-compose restart nginx"
Cross-Origin Resource Sharing (CORS)¶
CORS configuration balances API accessibility with origin-based access control.
Allowed Origins Configuration¶
Explicit origin whitelisting:
# In .env.production
ALLOWED_ORIGINS=https://dashboard.ai-soc.example.com,https://admin.ai-soc.example.com
CORS Policy Enforcement¶
Production Requirements: - Exact origin matching (no wildcards) - Credentials allowed only for authenticated origins - Preflight request caching (1 hour maximum)
Implementation¶
from security import CORSSecurityMiddleware
app.add_middleware(
CORSSecurityMiddleware,
allowed_origins=[
"https://dashboard.ai-soc.example.com",
"https://admin.ai-soc.example.com"
],
allow_credentials=True,
allowed_methods=["GET", "POST", "PUT", "DELETE"],
allowed_headers=["Authorization", "Content-Type"],
max_age=3600 # Preflight cache duration
)
Security Testing and Validation¶
Comprehensive security testing validates implementation against OWASP Top 10 and industry standards.
Security Test Execution¶
# Execute complete security test suite
pytest tests/security/ -v
# OWASP Top 10 validation
pytest tests/security/test_owasp_top10.py -v
# Category-specific testing
pytest tests/security/ -v -m "injection"
pytest tests/security/ -v -m "authentication"
pytest tests/security/ -v -m "llm_security"
OWASP Top 10 Coverage¶
| Category | Test Count | Status | Coverage |
|---|---|---|---|
| A01: Broken Access Control | 3 | Pass | JWT validation, RBAC enforcement |
| A02: Cryptographic Failures | 2 | Pass | TLS 1.3, secure password hashing |
| A03: Injection | 8 | Pass | SQL, command, prompt injection |
| A04: Insecure Design | 2 | Pass | Rate limiting, secure defaults |
| A05: Security Misconfiguration | 2 | Pass | Security headers, error handling |
| A07: Authentication Failures | 2 | Pass | Strong auth, no default credentials |
| A09: Security Logging | 2 | Pass | Prometheus metrics, audit logging |
| A10: SSRF | 1 | Pass | URL validation, internal IP blocking |
| LLM: Prompt Injection | 2 | Pass | Pattern detection, content filtering |
Automated Security Scanning¶
Dependency Vulnerability Scanning:
# Python dependency analysis
pip install safety
safety check --json --output safety-report.json
# Container image vulnerability scanning
docker scan ai-soc/alert-triage:latest
# Alternative: Trivy for comprehensive scanning
trivy image --severity HIGH,CRITICAL ai-soc/alert-triage:latest
Static Application Security Testing (SAST):
# Python code security analysis
bandit -r services/ -f json -o bandit-report.json
# SAST with Semgrep
semgrep --config=p/security-audit --json services/
Incident Response Procedures¶
Structured incident response procedures enable rapid detection, containment, and recovery from security events.
Detection Phase¶
Monitoring Triggers: - Failed authentication attempts (threshold: 5 in 1 minute) - Rate limit violations (HTTP 429 responses) - Input validation failures - LLM prompt injection detection - Abnormal API usage patterns - Privilege escalation attempts
Containment Phase¶
Immediate containment actions:
# Block malicious source IP
iptables -A INPUT -s <malicious-ip> -j DROP
# Revoke compromised API key
curl -X DELETE https://api.ai-soc.example.com/admin/api-keys/<key-id> \
-H "Authorization: Bearer <admin-token>"
# Enable emergency rate limiting
export RATE_LIMIT_PROFILE=strict
docker-compose restart ai-services
Investigation Phase¶
Forensic data collection:
# Review security violation metrics
docker logs alert-triage | grep "security_violations_total"
# Query Prometheus for security events
curl http://localhost:9090/api/v1/query?query=security_violations_total
# Audit authentication failures
grep "401 Unauthorized" /var/log/ai-soc/alert-triage.log
Remediation Phase¶
- Rotate all compromised credentials
- Update firewall rules to block attack sources
- Patch identified vulnerabilities
- Review and update security policies
- Deploy enhanced monitoring for affected systems
Post-Incident Phase¶
Required Documentation: - Complete incident timeline - Root cause analysis - Attack vector identification - Remediation actions taken - Lessons learned and process improvements
Emergency Contact Information¶
Security Team Lead: security@example.com
On-Call Engineering: oncall@example.com
Incident Response: incident@example.com
Executive Escalation: ciso@example.com
Regulatory Compliance¶
The platform implements controls supporting multiple regulatory frameworks and security standards.
OWASP Top 10 2021 Compliance¶
Full compliance achieved across all categories:
- A01: Broken Access Control - JWT with RBAC implementation
- A02: Cryptographic Failures - TLS 1.3, bcrypt password hashing
- A03: Injection - Comprehensive input validation
- A04: Insecure Design - Rate limiting, secure by default
- A05: Security Misconfiguration - Security headers, minimal attack surface
- A06: Vulnerable Components - Automated dependency scanning
- A07: Authentication Failures - Strong authentication, no defaults
- A08: Data Integrity - Input validation, cryptographic signatures
- A09: Security Logging - Prometheus metrics, comprehensive audit trail
- A10: SSRF - Input validation, internal IP blocking
Security Certifications and Standards¶
| Standard | Compliance Status | Notes |
|---|---|---|
| OWASP Top 10 | Compliant (10/10) | All categories addressed |
| CIS Docker Benchmark | 85% compliant | Container hardening in progress |
| PCI DSS | Not applicable | No payment card data handling |
| GDPR | Compliant | Data minimization, encryption, right to erasure |
| SOC 2 Type II | In progress | Audit scheduled Q2 2026 |
Audit Schedule¶
- Internal Security Audits: Quarterly
- External Penetration Testing: Annual
- Dependency Vulnerability Scanning: Weekly (automated)
- Code Security Reviews: Per major release
- Compliance Assessment: Semi-annual
Production Deployment Checklist¶
Comprehensive validation checklist for production security readiness.
Pre-Deployment Security Validation¶
Credential and Secrets Management: - [ ] Generate production credentials with CSPRNG - [ ] Store secrets in HashiCorp Vault or equivalent - [ ] Verify no secrets in source code or environment variables - [ ] Configure automatic secret rotation schedules - [ ] Test secret retrieval and application startup
TLS and Network Security:
- [ ] Obtain production TLS certificates (Let's Encrypt or CA)
- [ ] Configure TLS 1.3 minimum version
- [ ] Enable HTTPS redirect (FORCE_HTTPS=true)
- [ ] Configure HSTS header with preload
- [ ] Verify cipher suite configuration
Access Control:
- [ ] Configure CORS allowed origins (no wildcards)
- [ ] Set rate limit profile to strict or moderate
- [ ] Enable API key authentication on all endpoints
- [ ] Configure RBAC scopes for service accounts
- [ ] Disable debug mode (DEBUG_MODE=false)
Monitoring and Logging: - [ ] Configure security monitoring alerts (Prometheus) - [ ] Enable audit logging for authentication events - [ ] Configure log aggregation (OpenSearch/ELK) - [ ] Test incident response procedures - [ ] Document emergency escalation contacts
Testing and Validation: - [ ] Execute complete security test suite (pytest) - [ ] Perform SAST scan (Bandit, Semgrep) - [ ] Execute dependency vulnerability scan (Safety, Trivy) - [ ] Conduct penetration testing (internal or external) - [ ] Verify OWASP Top 10 compliance
Post-Deployment Validation¶
Verification Steps: - [ ] Confirm HTTPS enforcement (HTTP redirects to HTTPS) - [ ] Validate authentication on all protected endpoints - [ ] Verify rate limiting behavior (test 429 responses) - [ ] Check security headers in HTTP responses - [ ] Monitor for security violations in first 24 hours
Operational Security: - [ ] Configure automated credential rotation - [ ] Enable intrusion detection (Wazuh) - [ ] Set up security incident dashboard - [ ] Schedule first security review (30 days post-deployment) - [ ] Verify backup and recovery procedures
Monthly Security Tasks¶
- Review security logs for anomalies
- Execute dependency vulnerability scan
- Audit API key usage and permissions
- Rotate development/staging credentials
- Update security documentation
Quarterly Security Tasks¶
- Rotate production credentials (all services)
- Conduct internal security audit
- Review and update security policies
- Test incident response procedures (tabletop exercise)
- Update security training materials
Additional Resources¶
Standards and Frameworks¶
- OWASP Top 10: https://owasp.org/www-project-top-10/
- OWASP API Security Top 10: https://owasp.org/API-Security/editions/2023/en/0x11-t10/
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- CIS Docker Benchmark: https://www.cisecurity.org/benchmark/docker
Technical Documentation¶
- FastAPI Security: https://fastapi.tiangolo.com/tutorial/security/
- JWT Best Practices (RFC 8725): https://datatracker.ietf.org/doc/html/rfc8725
- TLS Configuration: https://ssl-config.mozilla.org/
Security Tools¶
- Bandit (Python SAST): https://bandit.readthedocs.io/
- Safety (Dependency Scanner): https://pyup.io/safety/
- Trivy (Container Scanner): https://github.com/aquasecurity/trivy
- OWASP ZAP (DAST): https://www.zaproxy.org/
Training and Certification¶
- OWASP API Security Training
- Secure Coding Practices (CERT, SEI)
- GIAC Secure Software Programmer (GSSP)
- Certified Secure Software Lifecycle Professional (CSSLP)
Support and Reporting¶
Security Vulnerability Reporting: security@ai-soc.example.com PGP Key: https://ai-soc.example.com/security.asc
Documentation: https://docs.ai-soc.example.com
Issue Tracking: https://github.com/your-org/ai-soc/issues
Document Version: 1.0 Last Updated: October 24, 2025 Next Review: January 24, 2026 Classification: Internal Use