Skip to main content

CC4.1 — Selects, develops, and performs ongoing and/or separate evaluations

Status: Partially implemented (CI + sub-agent + Phase exit gate cycle live; quarterly internal-audit programme target week 34) Owner: Agent #38 (Senior Compliance Lead, SOC 2 + ISO 27001) Last reviewed: 2026-05-28 Next review: 2026-08-28

Trust Services Criteria reference

The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. The control covers continuous monitoring (live evaluation as the system runs), periodic separate evaluations (internal audit cycles, sub-agent reviews, security reviews), and the integration of monitoring outputs into management oversight.

How ZeroAuth meets this control

Three monitoring loops run in parallel, each with a different cadence and observer.

Continuous (per commit). Every push to dev triggers CI (/.github/workflows/ci.yml) which runs tsc --noEmit, eslint ., npm test, and the secret + biometric + ADR scans named in 06-ways-of-working.md "Commit-time gates". The pre-commit hook (per 04-commits.md C-001) mirrors the gate locally so a violation is caught before push. ADR 0011 (commit 51bc705) enforces that the gate is not overridable: --no-verify is forbidden and main is protected. The PR-level review adds the security-reviewer or cryptographer-reviewer sub-agent (mandatory per 06-ways-of-working.md "Sub-agent rules") on any change to auth, crypto, audit, tenant boundaries, or circuit / contract paths.

Sub-daily (operations). The nightly CVE monitor at scripts/cve-monitor.sh (commit f8a756c) scans the dependency tree against the GitHub advisory database; a high-severity finding pages the on-call rotation. The tests/cve-monitor.test.ts (also commit f8a756c) gives a fixture-based regression guard against the monitor itself drifting silent. The build artefacts in circuits/build/ (vkey, wasm, zkey) are checksum-verified at every boot per ADR 0015 (commit e98d158).

Periodic (per sprint, per phase). Sprint exit (every 2 weeks) closes with a retrospective and an updated audit-findings doc. Phase exit (every 4–12 weeks) is the formal go/no-go review with Role 1 + Role 36 + Role 42. The Phase 0 exit gate (week 2) reviews 21 audit-finding closure status. The Phase 1 exit gate (week 12) reviews the Anchor Bank demo + RBI mapping completion. Subsequent gates are listed in docs/plan/bfsi-v1/00-README.md phase map.

Compliance-specific (quarterly). Quarterly access reviews (D-Q2-12, D-Q3-16, D-Q4-07), quarterly vendor reviews (D-Q2-13, D-Q3-16, D-Q4-07), and the quarterly compliance retrospective (docs/compliance/retros/<year>-<q>.md, per compliance-roadmap-v1.md §8.1) form the separate-evaluation loop with the CCO sign-off.

External (annual + on-demand). SOC 2 Type I + Type II observation periods (weeks 14–22 and 27–39 respectively), ISO 27001 Stage 1 (week 23) + Stage 2 (week 36), the Trail of Bits / equivalent smart-contract audit (weeks 16–26), and the external cryptographer review (week 10) are the third-party separate evaluations. Each has named deliverables in compliance-roadmap-v1.md §4. Surveillance audits for ISO 27001 recur in years 2 + 3 per §6.4.

The Phase 0 demonstration of the loop: the readiness audit identified 21 findings; the per-commit CI gate caught regression candidates as the closures landed; the Phase 0 exit gate (week 2) is the formal sign-off moment. The audit-findings doc tracks the through-line per finding.

The on-chain anchor (ADR 0014, commit 27ed93c) extends the monitoring loop into the public verifiable layer: each tenant's audit-chain terminal hash is anchored daily on Base L2. A break in the anchor cadence (2 consecutive missed days) puts the tenant into "anchor-degraded" state and surfaces a banner in the dashboard.

The boot-time vkey hash check (commit e98d158) is the simplest possible separate evaluation: the verifier refuses to start with a mismatched vkey, so the monitoring failure mode is "service is down" — which is loud rather than silent.

Evidence references

  • /.github/workflows/ci.yml — continuous CI gate on every push.
  • ADR 0011-branching-workflow.md (commit 51bc705) — PR + CI + sub-agent review gates.
  • docs/plan/bfsi-v1/06-ways-of-working.md "Commit-time gates" + "Sub-agent rules" — the continuous and per-PR monitoring rules.
  • Commit f8a756c — nightly CVE monitor (scripts/cve-monitor.sh + tests/cve-monitor.test.ts).
  • ADR 0015-circuit-version-pinning.md (commit 27ed93c) + commit e98d158 — boot-time vkey verification.
  • ADR 0014-on-chain-anchor-cadence.md (commit 27ed93c) + commit d6c6a4e — daily on-chain anchor.
  • docs/security/audit-findings.md — 21 Phase 0 findings tracked through closure.
  • docs/compliance/compliance-roadmap-v1.md §4 — quarterly deliverables with named owners.
  • docs/compliance/compliance-roadmap-v1.md §6 — external evaluator engagements.

Open gaps + remediation roadmap

  • Internal audit cycle (ISO 27001) — first cycle target week 34 (2027-01-04), per compliance-roadmap-v1.md D-Q3-09. Owner Agent #38.
  • Management review (ISO 27001) — first review target week 35 (2027-01-11), D-Q3-10. Agent #36 + Agent #1.
  • Quarterly compliance retrospective template — first retro target week 14 (2026-08-24), docs/compliance/retros/2026-q1.md.
  • Closed-finding regression test suite (tests/security/regression.spec.ts) — lands C-023 sprint 2 per audit-findings.md. Target week 6 (2026-07-06).

Test or audit query

grep -r "uses:" .github/workflows/ci.yml confirms tsc --noEmit, eslint, npm test, and any scan jobs are wired. cat docs/security/audit-findings.md shows the closed/open status of every Phase 0 finding. Sub-agent invocation events should be visible in PR review comments (mock query gh pr list --state merged --search "security-reviewer" once GitHub Enterprise is in scope).