# OWASP Verification Evidence Log Template

## Run metadata

- Date:
- Environment: `local` | `staging` | `production`
- App/API version (git SHA):
- Operator:
- Incident/reference ticket (if recovery event):

## Environment flags

- `NODE_ENV`:
- `AUTH_DISABLED`:
- `ALLOW_INSECURE_AUTH_FOR_DEV`:
- `COMPOSE_PROJECT_NAME`:
- `EXPECTED_PROD_DB_HOST`:
- `EXPECTED_PROD_DB_NAME`:

## Commands executed

1.
```bash
# command
```
Output summary:

2.
```bash
# command
```
Output summary:

3.
```bash
# command
```
Output summary:

4.
```bash
# command
```
Output summary:

## Recoverability Evidence

- Current Postgres container:
- Mounted volume(s):
- Candidate old volume(s) inspected:
- Recoverable artifact found: `yes` | `no`
- Artifact location:
- Recovery decision:

## Backup/Restore Drill Evidence

- Latest backup file:
- Latest checksum file:
- Checksum verified: `yes` | `no`
- Restore test DB name:
- Restore succeeded: `yes` | `no`
- Row count checks performed:

## Results

- A01 protected route unauthenticated check: `pass` | `fail`
- A01 spoofed header check: `pass` | `fail`
- A01 admin rollover exposure check: `pass` | `fail`
- A01 automated suite (`auth` + `account-delete` + `admin-rollover`): `pass` | `fail`
- A02 dedicated suite (`security-misconfiguration`): `pass` | `fail`
- A03 dedicated suite (`software-supply-chain-failures`): `pass` | `fail`
- A04 dedicated suites (`cryptographic-failures*`): `pass` | `fail`
- A05 dedicated suite (`injection-safety`): `pass` | `fail`
- A06 dedicated suite (`insecure-design`): `pass` | `fail`
- A07 dedicated suites (`auth.routes` + `identification-auth-failures`): `pass` | `fail`
- A08 dedicated suite (`software-data-integrity-failures`): `pass` | `fail`
- A09 dedicated suite (`security-logging-monitoring-failures`): `pass` | `fail`
- A10 dedicated suite (`server-side-request-forgery`): `pass` | `fail`
- Non-DB security suite (`SECURITY_DB_TESTS=0`): `pass` | `fail`
- DB security suite (`SECURITY_DB_TESTS=1`): `pass` | `fail`

## Findings

- New issues observed:
- Regressions observed:
- Follow-up tickets:
- Data recovery status:
- Admin user bootstrap status:

## Residual Risk Review

- Reviewed `residual-risk-backlog.md`: `yes` | `no`
- Items accepted for this release:
- Items escalated/blocked:

## Sign-off

- Security reviewer:
- Engineering owner:
- Decision: `approved` | `blocked`