# Verixa Pentest — Canonical Source of Truth Register

| Field | Value |
|---|---|
| **Document ID** | VRX-SEC-PENTEST-CANON-001 |
| **Version** | v8.1 |
| **Effective Date** | June 2026 |
| **Supersedes** | v8.0 canonical state (implicit — no prior standalone canonical file) |
| **Owner** | [REQUIRED BEFORE SIGN-OFF: Security Lead — full name and title] |
| **Approver** | [REQUIRED BEFORE SIGN-OFF: QA Head — full name and title] |
| **Change Control Reference** | [REQUIRED BEFORE SIGN-OFF: URS-13 change control record number] |
| **Storage Location** | 02_Workspace/Verixa Workspace/Verixa Security/ — version-controlled |
| **SHA-256 Hash** | [REQUIRED BEFORE SIGN-OFF: compute after final sign-off: `sha256sum CANONICAL_REGISTER.md`] |
| **Approval Signature** | [REQUIRED BEFORE SIGN-OFF: QA Head wet or e-signature, date] |
| **Next Review Date** | [REQUIRED BEFORE SIGN-OFF: date of next annual retest kick-off or URS-13 change event] |

**THIS FILE IS THE SINGLE SOURCE OF TRUTH.**
Both the markdown plan and HTML execution guide must be generated from this file.
Any discrepancy between this file and any other document: this file governs.
Changes to this file require a new change control record under URS-13.

---

## CANONICAL KNOWN DEFECT REGISTER (6 defects)

| KD-ID | Title | Severity | Regulatory Reference | PENTEST IDs |
|---|---|---|---|---|
| KD-001 | 4 authority profiles gate incorrectly — profiles allow actions they are configured to prevent | High | 21 CFR 11.10(d); EU Annex 11 §12 | AUTH-P-07 |
| KD-002 | Audit trail hash unkeyed SHA-256 + TenantId excluded from hash payload | **Critical** | 21 CFR 11.10(e); ALCOA+ Original; EU Annex 11 §9 | AUDIT-03, AUDIT-05 |
| KD-003a | AI gateway user-supplied systemPrompt; all 10 prompt injection tests describe.skip | High | OWASP LLM01; EU Annex 22 §7; EU AI Act Art. 13 | AI-01, AI-03, AI-09 |
| KD-003b | overrideResult() writes LLM text to GxP fields without e-sig + no HITL gate | **Critical** | QS-21; 21 CFR 11.50; EU Annex 22 §7; ALCOA+ Attributable | AI-10, AI-11, AI-12 |
| KD-004 | Webhook SSRF: user-supplied webhook_url, only format validation, no IP/hostname blocklist | High | OWASP API8:2023; ASVS V10.3.2 | SSRF-01, SSRF-02, SSRF-03 |
| KD-005 | Background job RBAC: suspected missing guards on 31 job endpoints | High | QS-7; 21 CFR 11.10(d) | JOB-01, JOB-02, JOB-03, JOB-04 |

**Pre-confirmed Critical count: 2 (KD-002, KD-003b)**
**Pre-confirmed High count: 4 (KD-001, KD-003a, KD-004, KD-005)**
**Total pre-registered PENTEST findings: PENTEST-001 through PENTEST-006**

---

## CANONICAL GO-LIVE GATE LIST (9 gates)

| Gate | Requirement | Notes |
|---|---|---|
| G-1 | Zero Critical-severity findings open | KD-002 and KD-003b both fall under G-1 |
| G-2 | Zero High-severity findings open. Exception: QA-signed risk acceptance per finding, non-GxP surface only | No 30-day grace period. Any open High on GxP surface = blocked regardless of age |
| G-3 | All Critical/High KD findings: confirmed remediation evidence + retest Pass recorded | Covers KD-001, KD-002, KD-003a, KD-003b, KD-004, KD-005 |
| G-4 | Pentest final report delivered, QA-reviewed, Security Lead–accepted | D-2 formally accepted |
| G-5 | KD-002 retest Pass evidence on file | HMAC-SHA256 keyed; TenantId in payload; chain verification confirmed |
| G-6 | KD-003b CAPA closed; retest Pass evidence on file | E-sig gate active; HITL gate enforced before overrideResult() writes |
| G-7 | IMP-02/IMP-03 impersonation audit attribution evidence filed and QA-approved | Tests confirm impersonated actions attributed to impersonator, not subject |
| G-8 | ESIG-09b concurrent signing token reuse — retest evidence on file | 21 CFR 11.200 signing integrity |
| G-9 | HITL active and confirmed for ALL critical AI paths | Evidence: HITL config table + executed workflow showing AI output → human review → e-sig |

---

## CANONICAL TEST ACCOUNT LIST (11 accounts)

| # | Username | Role | Tenant | Purpose |
|---|---|---|---|---|
| 1 | pentest-superadmin@verixa-test.internal | super_admin | Platform | Highest privilege escalation target |
| 2 | pentest-platformadmin@verixa-test.internal | platform_admin | Platform | Platform-level administration |
| 3 | pentest-admin-t1@verixa-test.internal | admin | Tenant A | Tenant A administration |
| 4 | pentest-qualitylead-t1@verixa-test.internal | quality_lead | Tenant A | Tenant A QA workflows |
| 5 | pentest-reviewer-t1@verixa-test.internal | reviewer | Tenant A | Tenant A reviewer workflows |
| 6 | pentest-auditor-t1@verixa-test.internal | auditor | Tenant A | Audit-read access testing |
| 7 | pentest-viewer-t1@verixa-test.internal | viewer | Tenant A | Minimum privilege read-only |
| 8 | pentest-admin-t2@verixa-test.internal | admin | Tenant B | Cross-tenant isolation testing |
| 9 | pentest-reviewer-t2@verixa-test.internal | reviewer | Tenant B | Cross-tenant isolation testing |
| 10 | pentest-viewer-t2@verixa-test.internal | viewer | Tenant B | Cross-tenant isolation testing |
| 11 | pentest-notenantmember@verixa-test.internal | (no membership) | None | Unauthenticated / tenant-less access |

**Total: 11 accounts. v8.0 plan listed 10 — auditor (TA-06) and no-tenant account were missing. Restored in v8.1.**

---

## CANONICAL PHASE MODEL (10 phases, Phase 0–9)

| Phase | Name | Duration | Key Output |
|---|---|---|---|
| Phase 0 | Pre-Engagement Setup | Week 1 (before Day 1) | Signed authorization, all accounts provisioned, baseline counts |
| Phase 1 | Reconnaissance and Surface Mapping | Days 1–3 | Site map, open ports, TLS report, route baseline |
| Phase 2 | Authentication and Session Testing | Days 3–5 | AUTH/IMP/ESIG/CRED findings |
| Phase 3 | Authorization and Tenant Isolation | Days 5–10 | RBAC/TENANT/BL findings |
| Phase 4 | Injection and Input Validation | Days 8–12 | INJ/XSS/IV findings |
| Phase 5 | Audit Trail and GxP Compliance | Days 10–14 | AUDIT/COMP/white-box findings |
| Phase 6 | AI/ML and Background Job Testing | Days 12–16 | AI/JOB/API findings |
| Phase 7 | Infrastructure, Secrets, Configuration | Days 14–18 | SEC/CLOUD/INT/CICD/DATA/FE findings |
| Phase 8 | Known Defect Exploitation Attempts | Days 16–20 | KD-001, KD-002, KD-003a, KD-003b, KD-004, KD-005 exploitation confirmation |
| Phase 9 | Reporting and Knowledge Transfer | Days 20–26 | D-1 through D-7 deliverables, go-live gate assessment |

**Total: 10 phases (Phase 0 through Phase 9). HTML must say "10 phases (Phase 0–9)", not "7 phases".**

---

## CANONICAL TEST CASE COUNT

- v7 original claimed: 180
- v8.0 grep-counted unique IDs: ~153
- v8.1 target: reconcile to an exact verified count
- **Until reconciled: state "153 numbered test case IDs across 22 attack surfaces (pending full inventory reconciliation — see Appendix C)"**
- Do NOT claim 180 without a verified test inventory matrix.

---

## ADDITIONAL BACKGROUND JOB TESTS (v8.1 addition)

| ID | Test | Method | Pass Criteria |
|---|---|---|---|
| JOB-05 | Audit trail verification for mutating background jobs | Runtime + psql | Each mutating job produces an audit_log entry with correct tenantId, userId (system account), action, and timestamp |
| JOB-06 | Tenant isolation for cross-tenant jobs | Runtime + psql | Jobs operating on tenant data use TDAL context; no cross-tenant data leakage |
| JOB-07 | Queue payload validation | Automated + Manual | Malformed/oversized queue payloads rejected with 400/422; no unhandled 500; no data corruption |

---

## HTML NON-EVIDENCE BANNER (mandatory in HTML)

> ⚠️ **OPERATIONAL GUIDE ONLY — NOT CONTROLLED EVIDENCE**
> This document is a reference guide for execution planning. It cannot be used to demonstrate Phase 0 completion, go-live gate satisfaction, or pentest authorization. All evidence must be signed, version-controlled, hashed, and retained under document control per Section 7 of the pentest plan. The controlled record is the signed pentest plan (v8.1) and deliverables D-1 through D-7.

---

## REGULATORY LANGUAGE CORRECTION (for HTML)

**Do not use:** "Regulators require documented evidence that security controls were tested before go-live."
**Use instead:** "Pentest evidence supports the validation and security assurance program. The specific regulatory expectation depends on the system's risk classification, intended use, and the agreed validation strategy documented in the overall validation plan."

