Skip to Content
ReferenceSecurity Review Quickstart

Security Review Quickstart

Use this checklist to validate DriftGate control-plane claims in under 10 minutes.

1) Verify Auth Contract

  • Runtime endpoints require bearer session auth:
    • POST /v4/sessions.start
    • POST /v4/sessions/{sessionId}/executions.execute
    • POST /v4/execute
  • Admin/config operations use service-account API key auth:
    • x-driftgate-api-key: dgk_...
  • dg_sa_* is never a credential secret.

Reference: Auth + Token Contract

2) Verify Admin Boundary

  • admin.driftgate.ai is DriftGate internal-only.
  • Workspace admins in app.driftgate.ai do not get platform-admin access by default.

Reference: Operator Auth + Token Runbook

3) Verify Token Lifecycle Controls

  1. Create service account in Access Control.
  2. Mint token and copy dgk_* secret once.
  3. Confirm admin/config call succeeds (for example policies list).
  4. Revoke token and confirm subsequent call is rejected.

4) Verify Runtime Credential Separation

  • Confirm runtime commands reject dgk_* with AUTH_INVALID/missing session token.
  • Confirm runtime succeeds with driftgate login session token.

5) Verify Evidence Packet

  • Launch gate summary: tmp/release-gate/out/release-gate-summary.json
  • Launch evidence packet: tmp/launch-evidence/launch-evidence-<sha>.json
  • Runtime security checks: prod-runtime-security, prod-smoke, cutover-drills run evidence

If any of the five checks above fail, treat release status as NO-GO.

Last updated on
External Operator QuickstartResponse Envelope