Context pack cho JWT · Gateway · RLS · Secrets · Threat model · Production readiness. Snapshot + trỏ canonical. Không in secret. Canonical: backend/SECURITY-CHECKLIST.
Auth Gateway (LIVE)
Chấp nhận Authorization: Bearer <jwt> (JWT HS256 access + DB session, revocation) hoặcx-bng-api-key (server-to-server). Thứ tự: Bearer → key. Tenant từ credential, không từ client. TenantResolver seam. backend/AUTH-GATEWAY, AUTH-TENANT-CONTEXT.
Mint session qua ops CLI (mint-session-token), revoke session/key. Chưa có login endpoint/password (Phase 4 Auth GA).
Role split: app role bng_staging_app (RLS-subject, request path + withTenant) vs maintenance role BYPASSRLS (ops/dispatcher/metrics). backend/RLS-OPERATIONS.
Request path 100% qua withTenant/runInTx (guard scripts/check-tenant-guard.sh). backend/RLS-READINESS.
Secrets
Hash sha256 (API key), JWT secret env fail-fast production, secret 0600 VPS, không log/không bundle/không response (verified 0 match). Gate/JWT secret không vào client. Threat: cross-tenant leak, secret leak, token abuse → mitigation ở backend/RLS-RISK-MATRIX.