diff --git a/docs/security/service-checklist.md b/docs/security/service-checklist.md index 5ad7a79..8b472eb 100644 --- a/docs/security/service-checklist.md +++ b/docs/security/service-checklist.md @@ -48,6 +48,9 @@ This checklist is the generic **bar**. Each service answers it in its own - [ ] Logs go somewhere reviewable (central aggregation when available) - [ ] Backup/restore is covered if the service holds state +- [ ] Passed Level 4 service-UI verification (`/verify-service`) against staging — the + service has a populated `roles//VERIFY.md` and its critical journeys + verified (ADR-008 Level 4 / ADR-017) > Deviations are allowed but must be **conscious**: record them in > `docs/security/accepted-risks.md`, don't leave them implicit.