Raxx · internal docs

internal · gated

Detection campaign — Phase 1 beta launch window

Campaign date: 2026-06-12 UTC Window: Phase 1 NDA-gated marketing-feedback preview — first day outsiders touch prod Triggered by: operator dispatch on beta-launch day Builds on: 2026-06-04 initial catalog (10 existing rules, 7 deferred) New rules this campaign: 4 (DET-BETA-001 through DET-BETA-004) Total active catalog after this campaign: 14 rules (10 prior + 4 new)

Threat surface as of 2026-06-12

Phase 1 beta invites go out today. This is the first time real outsiders hit raxx-api-prod. The key change from the pre-launch posture documented in the June 4 catalog:

CF Access was removed from /api/beta/preview/*. The beta preview endpoints are now internet-reachable — any actor who has or can guess a valid HMAC token can reach the NDA gate and beyond. This is intentional (invitees need no CF account), but it opens attack surfaces that did not exist when all customer-facing routes were behind CF.

The surface map as of today:

Surface Auth gate Internet-reachable New today
getraxx.com waitlist signup None (public) Yes No
/api/beta/preview/<token>/* HMAC token + NDA ack Yes — CF removed Yes
/api/auth/register/options + passkey routes HMAC bootstrap token + WebAuthn Yes No
console.raxx.app CF Access + passkey No (CF-gated) No
raxx-api-prod all other routes Session cookie + passkey Yes No

What we are watching, in priority order

Priority 1 — Token brute-force / enumeration on /api/beta/preview/* (DET-BETA-001)

The HMAC token is 256-bit keyspace; brute force of the full space is infeasible. The realistic risk is: - An actor observed a minted token URL in transit (email interception, cached URL in a shared browser, link-previewer bot storing the URL). - An actor received a forwarded invite from a legitimate tester.

The detection signal is the 401-burst + distinct-token-cardinality on the /status and /screen/* paths from a single source IP. This fires immediately on the first probe — no baseline maturity needed.

Monitoring posture today: manual heroku logs grep until P1 (Heroku drain) is wired. Target: check logs on 1-hour cadence during 13:00–20:00 UTC.

Highest-urgency prerequisite: P1 (Heroku drain). Without it, this detection is human-speed, not automated.

Priority 2 — Sentry errors on beta routes (DET-BETA-003)

The beta preview routes make a cross-service HTTP call (Raptor → Console) on every request. A misconfiguration in INTERNAL_API_SECRET between the two apps causes all token verifications to raise RuntimeError and return 500 to every tester. This is operationally catastrophic on day one and completely invisible without Sentry.

Monitoring posture today: sentry_backend flag is OFF in prod. This is an active gap. Recommend operator flip it before invite batch is sent. Until then, fallback is: heroku logs --app raxx-api-prod | grep 'beta_token_verifier' for the specific error signatures documented in DET-BETA-003.

Highest-urgency prerequisite: P2 (Sentry production rollout). This is the single highest-value operator action for beta-launch day.

Priority 3 — Automated screen traversal / scraping (DET-BETA-002)

The motive copy and rubric questions are NDA-bound IP. A scraper with a valid (forwarded) token can traverse all 5 screens in seconds, extract the content, and optionally submit synthetic rubric data contaminating the feedback dataset.

The structural protection (screen-lock enforcement) is correct. This detection confirms it fired and surfaces session timing anomalies.

Monitoring posture today: manual session-timing review from heroku logs. Check for any token that hits all screen paths in under 90 seconds.

Priority 4 — NDA bypass probe (DET-BETA-004)

Valid-token holders who bypass the NDA flow and probe directly for screen content. Distinct from token enumeration (DET-BETA-001) — the token is legitimate. The probe is an attempt to skip the NDA gate.

Monitoring posture today: manual heroku logs | grep 'status=403' | grep 'beta/preview'. Cluster by token slug.

Priority 5 — Waitlist velocity (existing DET-SIGNUP-001 + DET-SIGNUP-002)

Beta launch day may drive press coverage or social media traffic that spikes waitlist signups. The existing signup velocity rules cover this. No new signup rules needed for this campaign.

Rules built this campaign (4)

# Rule ID Title Severity ceiling State at ship
1 DET-BETA-001 Preview token enumeration HIGH live (manual until drain wired)
2 DET-BETA-002 Preview screen scraping / automated traversal HIGH live (manual until drain wired)
3 DET-BETA-003 Sentry error spike on beta routes CRITICAL dormant — sentry_backend flag OFF
4 DET-BETA-004 NDA bypass probe (repeated 403 nda_not_acked) HIGH live (manual until drain wired)

Rules NOT built this campaign (deferred from this scope)

Proposed rule Rationale for deferral
beta_rubric_data_quality — detect synthetic or copy-pasted rubric responses Requires NLP/pattern analysis of response text. Data-scientist scope; less than 50 real responses expected in week 1 — not enough sample for a meaningful detection. Revisit at 100+ submissions.
beta_token_sharing — detect multiple distinct IPs using the same valid token Token reuse by legitimate testers (two devices) vs. link-sharing is indistinguishable at the token level. The NDA acknowledgement is per-email not per-IP; shared links still require NDA. Low risk surface until adversarial reuse is confirmed. Defer to next campaign once we observe the empirical per-tester IP-count distribution.
beta_geo_anomaly — flag tokens used from countries inconsistent with US-only invite batch Geo headers are available (CF-IPCountry) but we do not know the explicit invite list's geographic distribution. If all invitees are US-based, a non-US 200 on a beta token is anomalous. Requires operator to confirm invite geo composition first — data the detection needs but doesn't have today.
beta_postmark_click_tracking — Postmark link-click events as a delivery confirmation + abuse signal Postmark click tracking is not wired to an inbound event table. This would require a new webhook handler for the Postmark click-tracking event stream. Defer until the Postmark webhook surface is formalized.

Operator-action checklist (from this campaign)

These are the items that will most directly improve detection coverage during the beta window. Listed in impact order:

  1. Flip sentry_backend ON in prod before invite batch sends. Single highest-value action. Command: heroku config:set sentry_backend=1 SENTRY_DSN_BACKEND=<from Infisical> --app raxx-api-prod >/dev/null 2>&1 Route to sre-agent to pull DSN from vault. Also set SENTRY_TRACES_SAMPLE_RATE=0.1 in the same call.

  2. Verify INTERNAL_API_SECRET is set and matches on both raxx-api-prod and raxx-console-prod. A mismatch causes every beta tester to receive a 500. This is a pre-flight check, not a detection item — but it prevents the single most catastrophic day-1 scenario. heroku config:get INTERNAL_API_SECRET --app raxx-api-prod >/dev/null 2>&1 heroku config:get INTERNAL_API_SECRET --app raxx-console-prod >/dev/null 2>&1 Confirm both are present and non-empty (do not compare values in any log — per feedback_heroku_config_set_echoes_secrets).

  3. Wire Heroku Logplex drain (P1 from June 4 catalog). Unlocks automated execution of DET-BETA-001, DET-BETA-002, DET-BETA-004, and the June 4 auth rules. Route to sre-agent. Until wired: run manual log checks on the 1-hour cadence during 13:00–20:00 UTC.

  4. Suppress multi-token NDA-403 alert for first 2 hours after invite batch. Per DET-BETA-004: when invites go out in bulk, many testers will hit the NDA gate simultaneously — this is expected. Note the batch-send UTC time and do not page on the multi-token 403 cluster during that window. Single-token bursts (>= 5 per token in 10 min) remain live alerts.

  5. Document operator's VPN exit IPs for suppression. Per user_uses_vpn, Datacamp/CDN77 IPs may be the operator testing invites. Before any HIGH alert fires, cross-check source IP against those ASNs. If not already in an allowlist file, add to docs/detections/_log/operator-vpn-allowlist.txt (new file, not a rule change).

Telemetry gaps that remain unaddressed

These are findings from the June 4 catalog that still block automated detection. No new finds from this campaign — the June 4 list accurately described the gaps. Status as of 2026-06-12:

Gap June 4 status Status today Change
P1 — Heroku Logplex drain Not wired Not wired No progress
P2 — Sentry in prod sentry_backend OFF sentry_backend OFF No progress — urgent for beta launch
P3 — KMS HMAC hash chain Gated on SC-A11/A14 Gated on SC-A11/A14 No progress
P4 — audit-write cadence baseline Needs first-customer data Needs first-customer data No change — today IS first real traffic
P5 — pg_stat_statements verification Unverified Unverified No progress
P6 — Heroku Platform API scraper Not built Not built No progress
P7 — Stripe webhook Not wired Not wired No progress
P8 — Postmark customer-mail volume Zero Zero (today starts) Watch: with invites sending, Postmark volume begins

New gap from this campaign: CONSOLE_INTERNAL_URL env var on raxx-api-prod. The beta_token_verifier.py defaults to https://raxx-console-prod.herokuapp.com/internal/api/verify-walkthrough-token. This must be explicitly set to ensure no traffic goes to the wrong host. Escalate to sre-agent to confirm.

Escalations from this run

Escalation 1 — HIGH finding: sentry_backend OFF during first-outsider-traffic day

Target: operator (policy / timing decision) and sre-agent (execution).

The sentry_backend flag is OFF in prod. Beta invites go out today. Without Sentry, any 500-class error on the beta preview routes is invisible except via manual heroku logs grep. The cross-service call in beta_token_verifier.py introduces a new failure mode (RuntimeError on HMAC mismatch) that produces 500s for all testers simultaneously. This is undetectable without Sentry or manual log monitoring.

Recommended action: sre-agent to pull SENTRY_DSN_BACKEND from Infisical and flip sentry_backend ON on raxx-api-prod immediately. This is an existing flag with existing init code — it is a config-var + flag flip, not a code change.

No GH issue filed per feedback_fix_dont_file. This is an operator-action recommendation in the campaign doc.

Escalation 2 — MEDIUM finding: audit_log_gap_window (DET-DATA-001) re-baseline trigger

Target: detection-engineer autonomous run.

Today is the first day of real customer-adjacent traffic (beta testers). The June 4 catalog noted that data_audit_log_gap_window uses a conservative pre-launch placeholder (any gap > 30 min during 12:00–22:00 UTC weekdays). As beta testers begin NDA-flow interactions and screen submissions, the customer_audit_events table will begin receiving writes from actual user activity. The 30-minute threshold should be monitored this week and re-baselined once 7 days of beta-tester writes establish a cadence. This is a scheduled-run trigger, not an immediate action.

Alert routing reminder for this window

Severity Channel Pre-launch posture exception
CRITICAL #raxx-ops-alert-sev1 Per-event always
HIGH #raxx-ops-alert-sev2-5 (ET) / #raxx-ops-alert-sev2 (off-hours) Per-event for DET-BETA-001, DET-BETA-002, DET-BETA-003, DET-BETA-004 during the beta-launch window (13:00–20:00 UTC 2026-06-12). Outside that window, batch to ops@ digest.
MEDIUM ops@ daily digest No exception
LOW docs/detections/_log/ No exception

Per feedback_pre_launch_digest_notifications: per-event paging is reserved for prod incidents + security CRIT/HIGH during active attack windows. The beta-launch window (today, 13:00–20:00 UTC) is an explicit exception because the attack surface opened today and early signals matter most in the first hours.

Files in this PR

No code changes. No new GH issues. No new feature flags. No migrations.

Cross-references