.kiro/steering/product.md

# Product Overview

The STEAM Security Dashboard is a self-hosted vulnerability management tool for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. It centralizes CVE tracking, Ivanti host finding triage, AEO compliance posture monitoring, FP/Archer exception workflows, and internal documentation in a single interface.

## Core Capabilities

- Searchable CVE list with per-vendor tracking and document storage
- NVD API integration for auto-populating CVE metadata
- Ivanti/RiskSense integration for syncing open host findings with FP workflow tracking
- Reporting page with charts, advanced filtering, inline editing, and CSV/XLSX export
- Ivanti Queue for batch-processing FP, Archer, and CARD workflows
- AEO Compliance page with weekly xlsx upload, diff preview, per-team metric health cards, and device-level violation tracking
- Archer risk acceptance ticket tracking (EXC numbers) linked to CVE/vendor pairs
- Knowledge base for internal documentation and policies
- Role-based access control (viewer, editor, admin) with full audit trail

## User Roles

| Role | Permissions |
|------|------------|
| viewer | Read-only access to all data |
| editor | All viewer permissions plus create/update operations |
| admin | All editor permissions plus delete, user management, and audit log access |

## Teams Tracked

Only **STEAM** and **ACCESS-ENG** teams are tracked in the compliance module.
add kiro steering files 2026-04-03 09:27:12 -06:00			`# Product Overview`

			`The STEAM Security Dashboard is a self-hosted vulnerability management tool for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. It centralizes CVE tracking, Ivanti host finding triage, AEO compliance posture monitoring, FP/Archer exception workflows, and internal documentation in a single interface.`

			`## Core Capabilities`

			`- Searchable CVE list with per-vendor tracking and document storage`
			`- NVD API integration for auto-populating CVE metadata`
			`- Ivanti/RiskSense integration for syncing open host findings with FP workflow tracking`
			`- Reporting page with charts, advanced filtering, inline editing, and CSV/XLSX export`
			`- Ivanti Queue for batch-processing FP, Archer, and CARD workflows`
			`- AEO Compliance page with weekly xlsx upload, diff preview, per-team metric health cards, and device-level violation tracking`
			`- Archer risk acceptance ticket tracking (EXC numbers) linked to CVE/vendor pairs`
			`- Knowledge base for internal documentation and policies`
			`- Role-based access control (viewer, editor, admin) with full audit trail`

			`## User Roles`

			`\| Role \| Permissions \|`
			`\|------\|------------\|`
			`\| viewer \| Read-only access to all data \|`
			`\| editor \| All viewer permissions plus create/update operations \|`
			`\| admin \| All editor permissions plus delete, user management, and audit log access \|`

			`## Teams Tracked`

			`Only STEAM and ACCESS-ENG teams are tracked in the compliance module.`