Skip to content

[compliance] Separation of Duties #80

New issue
New issue
Open
Open
[compliance] Separation of Duties#80
Labels
compliancecompliance:separation-of-duties
@christoph2806

Description

@christoph2806
christoph2806
opened on Feb 22, 2026

Separation of Duties

Role-based access control, DB role separation, MFA enforcement

Rules

  • CON-DVO-002: See entity definition

Findings (5)

Rule File Verdict Evidence
CON-DVO-002 packages/showcase/src/database/connection.ts FAIL The database connection provides unrestricted access with no role separation. All functions (runQuery, getAllQuery, getQ
CON-DVO-002 packages/showcase/src/database/queries.ts FAIL The file shows a single database connection layer (runQuery, getAllQuery, getQuery) used for all operations without role
CON-DVO-002 packages/showcase/src/database/types.ts WARN Line 24: User interface defines only basic roles ('admin'
CON-DVO-002 packages/showcase/src/types/Auth.ts FAIL Lines 2-6: User interface only defines two roles ('admin'
CON-DVO-002 packages/showcase/src/types/ui-kit.d.ts WARN Line 4-8: User interface defines only basic roles 'admin'

Suggested Actions

  • CON-DVO-002: Implement separate database connection functions for different roles (app operations, migrations, audit, admin). Create role-based access control where app operations can only execute limited queries, while admin operations require separate authentication. Add MFA verification for administrative database operations. Consider using connection pooling with role-based connections and restrict direct SQL execution based on the calling context.

Auto-generated by compliance-checker | Scan: 2026-02-28 | Commit: fac255ddf75c

Metadata

Metadata

Assignees

No one assigned

    Labels

    compliancecompliance:separation-of-duties

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions