@kaademos/secure-sdlc 1.0.0

package/cli/src/commands/status.js

@@ -0,0 +1,122 @@
+import { existsSync, readFileSync } from "fs";
+import { join, resolve } from "path";
+import chalk from "chalk";
+import { printBanner } from "../utils/banner.js";
+import { detectStack } from "../utils/stack-detect.js";
+
+const PHASES = ["PLAN", "DESIGN", "BUILD", "TEST", "RELEASE"];
+
+const PHASE_ARTEFACTS = {
+  PLAN:    ["docs/security-requirements.md", "docs/risk-register.md"],
+  DESIGN:  ["docs/threat-model.md", "docs/infra-security-review.md"],
+  BUILD:   ["docs/sast-findings.md"],
+  TEST:    ["docs/test-security-report.md"],
+  RELEASE: ["docs/release-security-sign-off.md"],
+};
+
+const PHASE_AGENTS = {
+  PLAN:    ["product-manager", "grc-analyst"],
+  DESIGN:  ["appsec-engineer", "cloud-platform-engineer"],
+  BUILD:   ["dev-lead", "appsec-engineer"],
+  TEST:    ["appsec-engineer", "dev-lead", "grc-analyst"],
+  RELEASE: ["release-manager", "grc-analyst", "cloud-platform-engineer"],
+};
+
+const PHASE_COLORS = {
+  PLAN:    chalk.blue,
+  DESIGN:  chalk.magenta,
+  BUILD:   chalk.yellow,
+  TEST:    chalk.cyan,
+  RELEASE: chalk.green,
+};
+
+function isTemplate(filePath) {
+  try {
+    const content = readFileSync(filePath, "utf-8");
+    return (
+      content.includes("[Feature Name]") ||
+      content.includes("[YYYY-MM-DD]") ||
+      content.includes("[Brief description") ||
+      content.includes("## Feature: [")
+    );
+  } catch {
+    return false;
+  }
+}
+
+export default async function status(options) {
+  const projectRoot = resolve(options.path || process.cwd());
+
+  printBanner();
+
+  const stack = detectStack(projectRoot);
+  console.log(chalk.bold(`Project: ${projectRoot}`));
+  if (stack.name !== "unknown") {
+    console.log(chalk.dim(`Stack: ${stack.display}\n`));
+  }
+
+  let currentPhase = null;
+  let phaseComplete = {};
+
+  console.log(chalk.bold("SDLC Phase Status\n"));
+
+  for (const phase of PHASES) {
+    const artefacts = PHASE_ARTEFACTS[phase];
+    const colorFn = PHASE_COLORS[phase];
+    let allPresent = true;
+    let results = [];
+
+    for (const rel of artefacts) {
+      const abs = join(projectRoot, rel);
+      const exists = existsSync(abs);
+      const template = exists && isTemplate(abs);
+
+      results.push({ rel, exists, template });
+      if (!exists || template) allPresent = false;
+    }
+
+    phaseComplete[phase] = allPresent;
+    if (!currentPhase && !allPresent) currentPhase = phase;
+
+    const phaseLabel = colorFn(` ${phase} `);
+    const status = allPresent
+      ? chalk.green("✓ COMPLETE")
+      : results.some((r) => r.exists && !r.template)
+        ? chalk.yellow("◑ IN PROGRESS")
+        : chalk.dim("○ NOT STARTED");
+
+    console.log(`  ${phaseLabel} ${status}`);
+
+    for (const r of results) {
+      const icon = r.exists && !r.template ? chalk.green("✓") : r.exists && r.template ? chalk.yellow("~") : chalk.dim("○");
+      const label = r.exists && r.template ? chalk.dim(`${r.rel} (template — not filled)`) : chalk.dim(r.rel);
+      console.log(`      ${icon} ${label}`);
+    }
+    console.log();
+  }
+
+  // Current phase recommendation
+  if (currentPhase) {
+    console.log(chalk.bold(`Current phase: ${PHASE_COLORS[currentPhase](currentPhase)}\n`));
+    console.log(chalk.bold("Agents to invoke:"));
+    PHASE_AGENTS[currentPhase].forEach((a) => {
+      console.log(chalk.dim(`  • ${a}`));
+    });
+    console.log();
+    console.log(chalk.bold("Quick start:"));
+    console.log(chalk.dim(`  secure-sdlc kickoff    # Interactive wizard`));
+    console.log(chalk.dim(`  secure-sdlc review     # Security review current changes`));
+
+    if (currentPhase === "RELEASE") {
+      console.log(chalk.dim(`  secure-sdlc gate v1.0.0  # Run pre-release security gate`));
+    }
+  } else {
+    console.log(chalk.bold.green("All phases complete. Project is release-gated.\n"));
+  }
+
+  // Check for config
+  const configPath = join(projectRoot, "secure-sdlc.yaml");
+  if (!existsSync(configPath)) {
+    console.log(chalk.yellow("\n⚠  No secure-sdlc.yaml found. Run: secure-sdlc init\n"));
+  }
+}

package/cli/src/utils/banner.js

@@ -0,0 +1,43 @@
+import chalk from "chalk";
+
+export function printBanner() {
+  console.log(
+    chalk.bold.cyan(`
+ ███████╗███████╗ ██████╗██╗   ██╗██████╗ ███████╗
+ ██╔════╝██╔════╝██╔════╝██║   ██║██╔══██╗██╔════╝
+ ███████╗█████╗  ██║     ██║   ██║██████╔╝█████╗  
+ ╚════██║██╔══╝  ██║     ██║   ██║██╔══██╗██╔══╝  
+ ███████║███████╗╚██████╗╚██████╔╝██║  ██║███████╗
+ ╚══════╝╚══════╝ ╚═════╝ ╚═════╝ ╚═╝  ╚═╝╚══════╝
+`)
+  );
+  console.log(chalk.dim(" SDLC Agents — Security at every step of the build\n"));
+}
+
+export function printPhase(phase, description) {
+  const phases = {
+    PLAN:    chalk.bgBlue.white,
+    DESIGN:  chalk.bgMagenta.white,
+    BUILD:   chalk.bgYellow.black,
+    TEST:    chalk.bgCyan.black,
+    RELEASE: chalk.bgGreen.black,
+  };
+  const colorFn = phases[phase] || chalk.bgGray.white;
+  console.log(`\n${colorFn(` ${phase} `)} ${chalk.bold(description)}\n`);
+}
+
+export function printSuccess(msg) {
+  console.log(chalk.green(`✓ ${msg}`));
+}
+
+export function printWarn(msg) {
+  console.log(chalk.yellow(`⚠ ${msg}`));
+}
+
+export function printError(msg) {
+  console.log(chalk.red(`✗ ${msg}`));
+}
+
+export function printInfo(msg) {
+  console.log(chalk.dim(`  ${msg}`));
+}

package/cli/src/utils/package-root.js

@@ -0,0 +1,23 @@
+import { fileURLToPath } from "url";
+import { dirname, join } from "path";
+import { existsSync } from "fs";
+
+/**
+ * Directory where this npm package is installed (contains cli/, mcp/, docs/templates/, …).
+ * Works for: git clone, npm install -g @kaademos/secure-sdlc, and npx.
+ */
+export function getPackageRoot() {
+  const here = dirname(fileURLToPath(import.meta.url));
+  // cli/src/utils/package-root.js → ../../../ = package root
+  const root = join(here, "..", "..", "..");
+  const marker = join(root, "cli", "bin", "secure-sdlc.js");
+  if (existsSync(marker)) {
+    return root;
+  }
+  // Fallback: walk up from cwd (e.g. unusual symlinks)
+  return root;
+}
+
+export function getMcpServerPath() {
+  return join(getPackageRoot(), "mcp", "src", "server.js");
+}

package/cli/src/utils/phase-detect.js

@@ -0,0 +1,107 @@
+import { existsSync, statSync } from "fs";
+import { join } from "path";
+import { execSync } from "child_process";
+
+const ARTEFACTS = {
+  PLAN:    ["docs/security-requirements.md", "docs/risk-register.md"],
+  DESIGN:  ["docs/threat-model.md", "docs/infra-security-review.md"],
+  BUILD:   ["docs/sast-findings.md"],
+  TEST:    ["docs/test-security-report.md"],
+  RELEASE: ["docs/release-security-sign-off.md", "docs/audit-evidence"],
+};
+
+/**
+ * Check which SDLC artefacts are present in the project.
+ * Returns a detailed status object.
+ */
+export function getSDLCStatus(projectRoot) {
+  const status = {};
+
+  for (const [phase, files] of Object.entries(ARTEFACTS)) {
+    const results = files.map((rel) => {
+      const abs = join(projectRoot, rel);
+      const exists = existsSync(abs);
+      let isTemplate = false;
+
+      if (exists && !rel.endsWith("/") && !rel.includes("audit-evidence")) {
+        try {
+          const { readFileSync } = require("fs");
+          const content = readFileSync(abs, "utf-8");
+          // Detect unfilled templates — they still have [PLACEHOLDER] markers
+          isTemplate = content.includes("[YYYY-MM-DD]") || content.includes("[Feature Name]");
+        } catch {
+          // ignore
+        }
+      }
+
+      return { path: rel, exists, isTemplate };
+    });
+
+    const allPresent    = results.every((r) => r.exists);
+    const somePresent   = results.some((r) => r.exists);
+    const allFilled     = results.every((r) => r.exists && !r.isTemplate);
+
+    status[phase] = {
+      files: results,
+      allPresent,
+      somePresent,
+      allFilled,
+      complete: allPresent && allFilled,
+    };
+  }
+
+  return status;
+}
+
+/**
+ * Detect current SDLC phase based on git state and artefact presence.
+ */
+export function detectCurrentPhase(projectRoot) {
+  const status = getSDLCStatus(projectRoot);
+
+  // Walk phases in order — the current phase is the first incomplete one
+  const order = ["PLAN", "DESIGN", "BUILD", "TEST", "RELEASE"];
+
+  for (const phase of order) {
+    if (!status[phase].complete) {
+      return { current: phase, status };
+    }
+  }
+
+  return { current: "COMPLETE", status };
+}
+
+/**
+ * Get the next recommended action based on phase state.
+ */
+export function getNextAction(phase, status) {
+  const actions = {
+    PLAN: {
+      command: 'claude --agent product-manager "Define security requirements for [your feature]"',
+      mcp: "sdlc_plan_feature",
+      description: "Generate ASVS-mapped security requirements and risk register",
+    },
+    DESIGN: {
+      command: 'claude --agent appsec-engineer "Threat model [your architecture] using STRIDE"',
+      mcp: "sdlc_threat_model",
+      description: "Run STRIDE threat model and infrastructure security review",
+    },
+    BUILD: {
+      command: 'claude --agent dev-lead "Review PR #[N] for security issues"',
+      mcp: "sdlc_review_pr",
+      description: "Security review pull requests and triage SAST findings",
+    },
+    TEST: {
+      command: 'claude --agent appsec-engineer "Interpret DAST findings: [findings]"',
+      mcp: "sdlc_triage_sast",
+      description: "Interpret DAST/pentest results and collect audit evidence",
+    },
+    RELEASE: {
+      command: 'claude --agent release-manager "Run pre-release security checklist for v[X.Y.Z]"',
+      mcp: "sdlc_release_gate",
+      description: "Run go/no-go security gate and produce compliance attestation",
+    },
+  };
+
+  return actions[phase] || null;
+}

package/cli/src/utils/stack-detect.js

@@ -0,0 +1,138 @@
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+
+/**
+ * Detect the technology stack from a project directory.
+ * Returns a stack profile name used to load appropriate security guidance.
+ */
+export function detectStack(projectRoot) {
+  const has = (file) => existsSync(join(projectRoot, file));
+
+  // Node / JavaScript / TypeScript
+  if (has("package.json")) {
+    const pkg = JSON.parse(readFileSync(join(projectRoot, "package.json"), "utf-8"));
+    const deps = {
+      ...pkg.dependencies,
+      ...pkg.devDependencies,
+    };
+
+    if (deps["next"])         return { name: "nextjs",    display: "Next.js",     language: "TypeScript/JavaScript" };
+    if (deps["nuxt"])         return { name: "nuxt",      display: "Nuxt.js",     language: "TypeScript/JavaScript" };
+    if (deps["@remix-run/node"]) return { name: "remix",  display: "Remix",       language: "TypeScript/JavaScript" };
+    if (deps["astro"])        return { name: "astro",     display: "Astro",       language: "TypeScript/JavaScript" };
+    if (deps["express"])      return { name: "express",   display: "Express.js",  language: "JavaScript" };
+    if (deps["fastify"])      return { name: "fastify",   display: "Fastify",     language: "TypeScript/JavaScript" };
+    if (deps["@nestjs/core"]) return { name: "nestjs",    display: "NestJS",      language: "TypeScript" };
+    if (deps["hono"])         return { name: "hono",      display: "Hono",        language: "TypeScript" };
+
+    return { name: "nodejs",  display: "Node.js",      language: "JavaScript/TypeScript" };
+  }
+
+  // Python
+  if (has("pyproject.toml") || has("requirements.txt") || has("setup.py") || has("Pipfile")) {
+    const pyfiles = ["pyproject.toml", "requirements.txt", "Pipfile"].map(f =>
+      has(f) ? readFileSync(join(projectRoot, f), "utf-8") : ""
+    ).join("\n");
+
+    if (pyfiles.includes("fastapi"))  return { name: "fastapi", display: "FastAPI",  language: "Python" };
+    if (pyfiles.includes("django"))   return { name: "django",  display: "Django",   language: "Python" };
+    if (pyfiles.includes("flask"))    return { name: "flask",   display: "Flask",    language: "Python" };
+    if (pyfiles.includes("litestar")) return { name: "litestar",display: "Litestar", language: "Python" };
+
+    return { name: "python",  display: "Python",     language: "Python" };
+  }
+
+  // Ruby
+  if (has("Gemfile")) {
+    const gemfile = readFileSync(join(projectRoot, "Gemfile"), "utf-8");
+    if (gemfile.includes("rails")) return { name: "rails", display: "Ruby on Rails", language: "Ruby" };
+    if (gemfile.includes("sinatra")) return { name: "sinatra", display: "Sinatra", language: "Ruby" };
+    return { name: "ruby", display: "Ruby", language: "Ruby" };
+  }
+
+  // Go
+  if (has("go.mod")) {
+    const gomod = readFileSync(join(projectRoot, "go.mod"), "utf-8");
+    if (gomod.includes("gin-gonic/gin"))   return { name: "gin",   display: "Gin (Go)",  language: "Go" };
+    if (gomod.includes("labstack/echo"))   return { name: "echo",  display: "Echo (Go)", language: "Go" };
+    if (gomod.includes("gofiber/fiber"))   return { name: "fiber", display: "Fiber (Go)",language: "Go" };
+    return { name: "golang", display: "Go", language: "Go" };
+  }
+
+  // Java / Kotlin / JVM
+  if (has("pom.xml")) {
+    const pom = readFileSync(join(projectRoot, "pom.xml"), "utf-8");
+    if (pom.includes("spring-boot")) return { name: "spring-boot", display: "Spring Boot", language: "Java/Kotlin" };
+    return { name: "java", display: "Java", language: "Java" };
+  }
+  if (has("build.gradle") || has("build.gradle.kts")) {
+    return { name: "java", display: "Gradle/JVM", language: "Java/Kotlin" };
+  }
+
+  // Rust
+  if (has("Cargo.toml")) return { name: "rust", display: "Rust", language: "Rust" };
+
+  // Infrastructure-only
+  if (has("main.tf") || has("terraform.tf")) return { name: "terraform", display: "Terraform", language: "HCL" };
+  if (has("Chart.yaml")) return { name: "helm", display: "Helm Chart", language: "YAML" };
+
+  return { name: "unknown", display: "Unknown", language: "Unknown" };
+}
+
+/**
+ * Returns the top security considerations for a given stack.
+ */
+export function getStackSecurityNotes(stackName) {
+  const notes = {
+    nextjs: [
+      "Review Server Actions for CSRF and authorisation — they're POST endpoints by default",
+      "Ensure API routes in app/api/ validate auth on every request — no route-level middleware by default",
+      "Use next/headers to read cookies server-side — avoid exposing auth tokens to client components",
+      "Review CORS config in next.config.js — wildcard origins are dangerous on API routes",
+      "Server Components can access secrets but ensure no secrets leak into Client Component props",
+      "Validate Zod schemas server-side on all Server Action inputs, even if validated client-side",
+    ],
+    express: [
+      "Use helmet middleware for security headers (CSP, HSTS, X-Frame-Options)",
+      "Never trust req.body without validation — use express-validator or zod",
+      "Avoid req.body[key] concatenation in queries — always use parameterised queries",
+      "Set trust proxy correctly if behind a load balancer (affects rate limiting by IP)",
+      "Disable X-Powered-By: Express header (helmet does this)",
+    ],
+    django: [
+      "Use Django's built-in CSRF middleware — never disable it for API endpoints without CORS-based protection",
+      "Use Django ORM querysets — avoid .raw() without parameterisation",
+      "DEBUG must be False in production; ALLOWED_HOSTS must be explicitly set",
+      "Use django-environ or similar for secrets — never commit SECRET_KEY to source",
+      "SECURE_SSL_REDIRECT, SECURE_HSTS_SECONDS, SESSION_COOKIE_SECURE must be True in production",
+    ],
+    fastapi: [
+      "Use Depends() for auth on every endpoint — there is no global auth middleware by default",
+      "Validate all path and query parameters with Pydantic — FastAPI does this if types are annotated",
+      "Never use 'response_model=None' to bypass output filtering on sensitive endpoints",
+      "Use OAuth2PasswordBearer with proper scope checking — not just token presence",
+      "CORS: set allow_origins explicitly, never use '*' for authenticated APIs",
+    ],
+    rails: [
+      "Rails has CSRF protection by default — never use protect_from_forgery :null_session on non-API controllers",
+      "Use strong parameters everywhere — never pass params directly to model methods",
+      "Rails 7+ uses encrypted credentials — use rails credentials:edit, never ENV vars for secrets in production",
+      "Audit before_action filters for auth — ensure every controller action is covered",
+      "Brakeman is the standard Rails SAST tool — run on every PR",
+    ],
+    terraform: [
+      "Pin provider versions with ~> constraints, not latest",
+      "Use terraform-aws-modules/terraform-google-modules — don't write IAM from scratch",
+      "Never use wildcard permissions (actions = ['*'])",
+      "Use tfsec or Checkov in CI for IaC scanning",
+      "Store state in encrypted remote backends — never commit .tfstate to git",
+    ],
+  };
+
+  return notes[stackName] || [
+    "Apply OWASP ASVS L2 as the baseline security requirements",
+    "Validate all inputs server-side — never trust client-supplied data",
+    "Use parameterised queries — never string-concatenate user input into queries",
+    "Store secrets in a secrets manager, not in code or environment files committed to git",
+  ];
+}

package/docs/templates/compliance-attestation.md

@@ -0,0 +1,159 @@
+# Compliance Attestation — v[X.Y.Z]
+
+**Release version:** v[X.Y.Z]
+**Date:** [YYYY-MM-DD]
+**Author:** GRC Analyst Agent + [Human GRC lead]
+**Frameworks in scope:** [SOC 2 / ISO 27001 / NIST CSF / PCI DSS / GDPR — delete inapplicable]
+**Status:** Draft / Review / Approved
+
+---
+
+## Scope
+
+**Systems and services covered by this attestation:**
+[List the systems, APIs, data stores, and infrastructure components in scope for this release]
+
+**Data in scope:**
+[Describe what categories of data are processed — PII, payment data, health data, etc.]
+
+**Frameworks assessed:**
+[List frameworks and the specific version or edition — e.g. SOC 2 Trust Services Criteria 2017,
+ISO/IEC 27001:2022 Annex A, NIST CSF 2.0]
+
+---
+
+## Control Status by Framework
+
+### SOC 2 — Trust Services Criteria
+
+| Criteria | Control Description | Status | Evidence Reference | Notes |
+|----------|--------------------|---------|--------------------|-------|
+| CC6.1 | Logical access controls restrict access to information assets | ✅ Met / ⚠️ Gap / 🚫 Fail | `docs/audit-evidence/` | |
+| CC6.2 | New internal and external users provisioned with appropriate access | | | |
+| CC6.3 | Access removed when no longer required | | | |
+| CC6.6 | Logical access restrictions meet security requirements | | | |
+| CC6.7 | Transmission of data restricted to authorised parties | | | |
+| CC7.1 | Vulnerabilities in system components detected | | | |
+| CC7.2 | Security incidents identified and managed | | | |
+| CC8.1 | Changes authorised, designed, and implemented to meet objectives | | | |
+| CC9.1 | Risk assessment process identifies and manages risks | | | |
+
+*Add or remove rows based on applicable Trust Services Criteria for your engagement.*
+
+---
+
+### ISO/IEC 27001:2022 — Annex A
+
+| Control | Name | Status | Evidence Reference | Notes |
+|---------|------|--------|--------------------|-------|
+| A.5.15 | Access control | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| A.5.17 | Authentication information | | | |
+| A.8.5 | Secure authentication | | | |
+| A.8.7 | Protection against malware | | | |
+| A.8.9 | Configuration management | | | |
+| A.8.15 | Logging | | | |
+| A.8.20 | Networks security | | | |
+| A.8.24 | Use of cryptography | | | |
+| A.8.25 | Secure development lifecycle | | | |
+| A.8.26 | Application security requirements | | | |
+| A.8.27 | Secure system architecture and engineering principles | | | |
+| A.8.28 | Secure coding | | | |
+| A.8.29 | Security testing in development and acceptance | | | |
+
+*Extend with additional Annex A controls relevant to the systems in scope.*
+
+---
+
+### NIST CSF 2.0
+
+| Function | Category | Status | Evidence Reference | Notes |
+|----------|----------|--------|--------------------|-------|
+| Govern | GV.OC — Organisational context | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| Identify | ID.AM — Asset management | | | |
+| Protect | PR.AC — Identity management and access control | | | |
+| Protect | PR.DS — Data security | | | |
+| Protect | PR.IP — Information protection processes | | | |
+| Detect | DE.CM — Security continuous monitoring | | | |
+| Respond | RS.RP — Response planning | | | |
+| Recover | RC.RP — Recovery planning | | | |
+
+---
+
+### PCI DSS v4.0 *(complete only if payment card data is in scope)*
+
+| Requirement | Description | Status | Evidence Reference | Notes |
+|-------------|-------------|--------|--------------------|-------|
+| 2.2 | System components configured securely | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| 3.5 | Primary account number secured | | | |
+| 4.2 | PAN protected during transmission | | | |
+| 6.2 | Bespoke software developed securely | | | |
+| 6.3 | Security vulnerabilities identified and addressed | | | |
+| 7.2 | Access controlled based on need to know | | | |
+| 8.2 | User identification and authentication | | | |
+| 10.2 | Audit logs implemented | | | |
+| 11.3 | External and internal penetration testing | | | |
+
+---
+
+### GDPR / UK GDPR *(complete only if personal data of EU/UK residents is processed)*
+
+| Article / Principle | Description | Status | Evidence Reference | Notes |
+|--------------------|-------------|--------|--------------------|-------|
+| Art. 5(1)(a) | Lawfulness, fairness, transparency | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| Art. 5(1)(b) | Purpose limitation | | | |
+| Art. 5(1)(c) | Data minimisation | | | |
+| Art. 5(1)(e) | Storage limitation | | | |
+| Art. 5(1)(f) | Integrity and confidentiality | | | |
+| Art. 25 | Data protection by design and by default | | | |
+| Art. 32 | Security of processing | | | |
+| Art. 33/34 | Breach notification capability | | | |
+
+---
+
+## Gaps
+
+Controls that are not fully met at the time of this attestation:
+
+| Framework | Control | Gap Description | Risk Rating | Remediation Plan | Owner | Target Date |
+|-----------|---------|-----------------|-------------|-----------------|-------|-------------|
+| | | | | | | |
+
+---
+
+## Accepted Risks
+
+Controls with residual gaps that have been formally accepted for this release:
+
+| Framework | Control | Gap | Business Justification | Risk Register Ref | Approver | Acceptance Date | Review Date |
+|-----------|---------|-----|------------------------|-------------------|----------|----------------|-------------|
+| | | | | | | | |
+
+---
+
+## Audit Evidence Index
+
+Evidence collected in support of this attestation, located in `docs/audit-evidence/`:
+
+| Evidence ID | Description | Framework / Control | Collection Date | Location |
+|-------------|-------------|--------------------|-----------------|---------| 
+| AE-001 | [e.g. SAST scan results showing no CRITICAL findings] | [SOC 2 CC7.1] | [YYYY-MM-DD] | `docs/audit-evidence/sast-results-vX.Y.Z.pdf` |
+| AE-002 | | | | |
+
+---
+
+## Attestation Statement
+
+All in-scope controls have been reviewed against the evidence collected for release
+v[X.Y.Z]. The gaps and accepted risks listed above have been formally acknowledged by the
+named approvers. This attestation is valid for this release only and does not constitute
+a certification under any framework.
+
+---
+
+## Sign-off
+
+| Role | Name | Date | Status |
+|------|------|------|--------|
+| GRC Analyst Agent | (automated) | [YYYY-MM-DD] | Approved |
+| GRC Lead / CISO | | | Approved / Pending |
+| Release Manager | | | Approved / Pending |