chore: root commit of OWSAP security testing/tightening

tests-results-for-OWASP/residual-risk-backlog.md

@@ -0,0 +1,26 @@
+# OWASP Residual Risk Backlog
+
+Last updated: March 2, 2026
+
+Use this file to track non-blocking hardening items that remain after automated controls pass.
+
+## Open items
+
+| ID | OWASP | Residual risk | Status |
+|---|---|---|---|
+| RR-001 | A01 | Add explicit authorization integration tests for all future admin-only routes (deny-by-default coverage expansion). | Open |
+| RR-002 | A02 | Add runtime CSP and full security-header verification from deployed edge stack (not only config checks). | Open |
+| RR-003 | A03 | Add stronger supply-chain provenance controls (digest pinning, SLSA attestations, artifact signing). | Open |
+| RR-004 | A04 | Add key rotation runbook validation and automated stale-key detection checks. | Open |
+| RR-005 | A05 | Add static taint analysis or Semgrep policy bundle in CI for command/SQL injection sinks. | Open |
+| RR-006 | A06 | Add abuse-case tests for account recovery and verification flows under distributed-IP pressure. | Open |
+| RR-007 | A07 | Add MFA/WebAuthn roadmap tests once MFA is implemented; currently password+lockout only. | Open |
+| RR-008 | A08 | Add signed backup manifests and restore provenance verification for operational artifacts. | Open |
+| RR-009 | A09 | Add alerting pipeline assertions (SIEM/webhook delivery) in pre-prod smoke tests. | Open |
+| RR-010 | A10 | Add egress firewall enforcement tests to complement application-layer SSRF guards. | Open |
+
+## Close criteria
+
+1. A concrete control is implemented and validated by an automated test or policy gate.
+2. Evidence is attached in `evidence-log-template.md`.
+3. Owning team marks item as Closed with date and link to implementation PR.