D10 Watcher / Security

Security dashboard

Live posture for runtime access, evidence integrity, AVSEC redaction, and policy drift.

watcher online
Guardrail statusEnforced

P05 audit append-before-publish and M17 redaction gates are active.

Open critical findings0

No critical AVSEC, identity, or audit-chain exception is waiting on triage.

Evidence freshness14 min

Newest security signal is inside the watcher freshness SLA.

Policy driftBlocked

Runtime contracts reject unsigned policy and schema changes.

Control families

Enforcement matrix

1 watch item
ControlRuntime checkStatus
Identity boundaryService accounts scoped by tenant, role, and workflow action.Pass
Audit durabilitySecurity mutations must anchor to immutable P05 evidence before publish.Pass
Payload redactionClassified AVSEC and SMS identity fields are stripped at projection time.Pass
Runtime policyCedar-style authorization checks are required on dispatch and safety actions.Pass
Operator accessPrivileged console paths require dual authorization and recent session proof.Watch

Recent watcher signals

Security event stream

4 signals verified
TimeSignalFindingOutcome
10:42 UTCavsec.redaction.probeSynthetic classified field removed before dashboard projection.Cleared
10:39 UTCidentity.session.reviewTwo elevated sessions expired without renewal.Cleared
10:35 UTCaudit.anchor.verifyP05 hash chain matched all watched security events.Cleared
10:28 UTCpolicy.bundle.diffUnsigned local policy bundle rejected by watcher validation.Blocked
Security dashboard | AXIOM