{"id":"ops/security-dr-drill","relativePath":"ops/security-dr-drill.md","title":"Pen Test Baseline + DR Drill Runbook","markdown":"# Pen Test Baseline + DR Drill Runbook\n\nThis runbook executes the SOTA Phase 5 hardening gate:\n\n- Pen test baseline\n- Disaster recovery drill\n\n## Commands\n\n```bash\npnpm pentest:baseline\npnpm dr:drill\n```\n\nCombined gate:\n\n```bash\npnpm hardening:pen-dr\n```\n\n## Pen test baseline\n\n`pnpm pentest:baseline` runs `pnpm audit --json`, writes a summary artifact, and compares results against a committed baseline:\n\n- Baseline: `config/security-audit-baseline.json`\n- Artifact: `artifacts/security/pnpm-audit-summary.json`\n\nPass criteria:\n\n- No severity bucket exceeds the baseline allowance.\n- No net-new advisory IDs appear beyond baseline.\n\nIf dependency posture is intentionally updated, refresh baseline only after review:\n\n```bash\npnpm pentest:baseline:record\n```\n\n## DR drill\n\n`pnpm dr:drill` performs a non-destructive restore rehearsal:\n\n- File-backed rehearsal:\n  - Snapshot managed storage docs from `storage/*.json`; the managed-document list is centralized in `src/utils/storage.ts`\n  - Copy to timestamped backup and restore directories under `artifacts/dr-drill/<timestamp>/`\n  - Validate JSON parse and SHA-256 checksum equality after restore\n- Postgres rehearsal (when storage mode is `postgres` or `double-write`):\n  - Snapshot managed `storage_documents` rows\n  - Rehydrate snapshot into a transaction-scoped temp table\n  - Verify row-level checksum parity\n  - Roll back transaction\n\nArtifacts:\n\n- `artifacts/dr-drill/latest.json`\n- `artifacts/dr-drill/<timestamp>/summary.json`\n\nPass criteria:\n\n- All recovered file checksums match original checksums.\n- Postgres temp-table restore rehearsal verifies checksum parity, or is explicitly skipped in `file` mode.\n","sections":[{"level":2,"heading":"Commands","anchor":"commands"},{"level":2,"heading":"Pen test baseline","anchor":"pen-test-baseline"},{"level":2,"heading":"DR drill","anchor":"dr-drill"}],"html":"<h1 id=\"pen-test-baseline-dr-drill-runbook\">Pen Test Baseline + DR Drill Runbook</h1>\n<p>This runbook executes the SOTA Phase 5 hardening gate:</p>\n<ul><li>Pen test baseline</li><li>Disaster recovery drill</li></ul>\n<h2 id=\"commands\">Commands</h2>\n<pre><code>\npnpm pentest:baseline\npnpm dr:drill\n</code></pre>\n<p>Combined gate:</p>\n<pre><code>\npnpm hardening:pen-dr\n</code></pre>\n<h2 id=\"pen-test-baseline\">Pen test baseline</h2>\n<p>`pnpm pentest:baseline` runs `pnpm audit --json`, writes a summary artifact, and compares results against a committed baseline:</p>\n<ul><li>Baseline: `config/security-audit-baseline.json`</li><li>Artifact: `artifacts/security/pnpm-audit-summary.json`</li></ul>\n<p>Pass criteria:</p>\n<ul><li>No severity bucket exceeds the baseline allowance.</li><li>No net-new advisory IDs appear beyond baseline.</li></ul>\n<p>If dependency posture is intentionally updated, refresh baseline only after review:</p>\n<pre><code>\npnpm pentest:baseline:record\n</code></pre>\n<h2 id=\"dr-drill\">DR drill</h2>\n<p>`pnpm dr:drill` performs a non-destructive restore rehearsal:</p>\n<ul><li>File-backed rehearsal:</li><li>Snapshot managed storage docs from `storage/*.json`; the managed-document list is centralized in `src/utils/storage.ts`</li><li>Copy to timestamped backup and restore directories under `artifacts/dr-drill/&lt;timestamp&gt;/`</li><li>Validate JSON parse and SHA-256 checksum equality after restore</li><li>Postgres rehearsal (when storage mode is `postgres` or `double-write`):</li><li>Snapshot managed `storage_documents` rows</li><li>Rehydrate snapshot into a transaction-scoped temp table</li><li>Verify row-level checksum parity</li><li>Roll back transaction</li></ul>\n<p>Artifacts:</p>\n<ul><li>`artifacts/dr-drill/latest.json`</li><li>`artifacts/dr-drill/&lt;timestamp&gt;/summary.json`</li></ul>\n<p>Pass criteria:</p>\n<ul><li>All recovered file checksums match original checksums.</li><li>Postgres temp-table restore rehearsal verifies checksum parity, or is explicitly skipped in `file` mode.</li></ul>","updatedAt":"2018-10-20T01:46:40.000Z","checksum":"a766ef3e2afcb1b2b90795297811b9969c73a7cc509c66a5f1dd84a852934dcd","checksumPrefix":"a766ef3e2afc","anchorCount":3,"lineCount":62,"rawUrl":"/api/docs/content?path=ops%2Fsecurity-dr-drill.md","htmlUrl":"/docs?doc=ops%2Fsecurity-dr-drill.md","apiUrl":"/api/docs/content?path=ops%2Fsecurity-dr-drill.md"}