Audit Reports — Vauban Trust Center
Audience: regulators + investors + auditors
Last updated:
Audit Reports
Current Audit Status
| Audit | Status | Issuer | Date | Document |
|---|---|---|---|---|
| CSPN Visa (ANSSI) | 🟡 Dossier in preparation | ANSSI via CESTI Quarkslab partnership | Phase 0 done_when target Q4 2026 | TBD post-soumission |
| SLSA L3 (Supply chain) | 🟡 In progress | Self-attestation + cargo-vet + Sigstore signing | Continuous | Repo SLSA provenance attestations |
| SOC2 Type II | ⏳ Planned Phase 2+ | TBD audit firm Phase 1+ selection | Phase 2+ post-CSPN | TBD |
| ISO 27001 | ⏳ Planned Phase 2+ | TBD audit firm Phase 1+ | Phase 2+ post-CSPN | TBD |
| CESTI Quarkslab pre-audit | 🟡 Sprint planned Phase 0 | Quarkslab CESTI labelisé | Phase 0 Q3-Q4 2026 | TBD post-engagement |
| Almond CESTI partnership | 🟡 Pre-engagement Phase 0 | Almond CESTI labelisé | Phase 1+ | TBD |
Continuous Self-Assessment
Governance Self-Audit
- Tool :
vauban-gouvernance/scripts/governance-self-audit.shV2.3 (post-v2.1 SSOT-SOTA mutualization) - Frequency : pre-commit hook + manual quarterly
- Coverage : 4 NEW v2.0 checks PASS (charter coherence, SDR archival, strategy currency, no drift) + 9 FAIL pre-existing settings.json hook wiring (hors scope élévation, à addresser post-élévation)
MCP Audit
- Status : ALL DONE through Phase 3.3
- Remaining : Phase 2.5 (DeFi apps), Phase 1.0 (SealedSecrets), Phase 2.3bis OTel (deferred)
- Score : 98/100 security posture
Brain Protocol Audit
- V6 cognitive flags : 0% activated (drift signal documented Q1 retrospective, Q2 priority push)
- V5 autonomous cognitive intelligence : active 2% progress
- V10 Observatory Cognition Tab : ship 92% confidence, 0% progress (Phase 1+ priority)
Public Audit Artifacts (Phase 1+ post-CSPN soumission)
Future publication post-CSPN visa Q4 2026 :
- CSPN dossier extracts (technical specifications + security claims)
- Pen-test reports redacted
- SOC2 Type II report (Phase 2+)
- ISO 27001 certificate (Phase 2+)
RCA Public Disclosures
Voir incident-history pour post-mortems publics. Phase 0 commitment : every P0/P1 incident produces 3 atomic Brain entries (RCA + Fix Pattern + Prevention) per .claude/rules/core/incident-response.md. Public RCA published Phase 2+ post-Vauban-Tech SAS incorporation.
Audit Trail Architecture
Vauban audit trail = Brain Protocol decision chains anchored L3 Starknet mainnet :
- 986+ Brain entries cumulative cross-product memory
- Sprint-483 universal proof-layer pattern (Cairo MerkleAnchor sealed 2026-04-23)
- Quarterly state hash anchored L3 (Phase 2+ scheduled)
- All ADR-ECO + cascade actions + quarterly reviews archived Brain
Auditeur access pattern :
- Request audit trail extract via security@vauban.tech (institutional auditeur)
- Vauban produces Brain entries chain hash + L3 anchor proofs
- Auditeur verifies independently via Cairo MerkleAnchor verifier (open-source SDK Phase 2+)
Cross-references
- Compliance matrix : compliance.md
- Threat model :
governance/threat-model/per-product-surface.md - Architecture attestation : architecture-attestation.md
- Governance attestation : governance-attestation.md
- Incident history : incident-history.md