## Goal

Define the minimum security posture required for every Beacon environment before moving to production.

## Mandatory checklist

<Steps>
  <Step title="1) Secrets and credentials">Store secrets in a dedicated vault, rotate automatically, and never expose them in code, logs, or public docs.</Step>
  <Step title="2) Access and permissions">Enforce least privilege, keeping in mind that the product currently exposes only `OWNER` and `ADMIN` roles.</Step>
  <Step title="3) Event integrity">Enable webhook signature validation, verify timestamp, and enforce idempotency end-to-end.</Step>
  <Step title="4) Audit and traceability">Guarantee audit trail, retention, and capture `code`, `nextAction`, `webhookEventId`, and `queueJobId` for critical operations.</Step>
  <Step title="5) Incident response">Maintain validated runbooks and escalation contacts.</Step>
</Steps>

## Control matrix by domain

| Domain | Minimum control | Evidence |
| --- | --- | --- |
| API | Session bearer tokens, explicit `org`, and membership review | Session policy + access audit logs |
| Webhooks | Signature validation + `event.id` deduplication + auditable replay | Validation logs + replay checks by `webhookEventId` |
| Dashboard | MFA and segregation between `OWNER` and `ADMIN` | Monthly access review |
| Fiscal | `setup-state` as the single source of truth, document integrity, and reconciliation | Close report + exception register |

## Forbidden patterns

- Real credentials in documentation examples.
- Internal/dev-only endpoints in public docs.
- Full personal data exports through uncontrolled channels.

<Warning title="Go-live">If any control in this baseline is missing, do not move to production.</Warning>
