[DOCS] Add incident response runbook for leaked vault keys and compromised plugins

[utksh1]

Problem

SecuScan needs a production-grade improvement in this area: Operational response..

Scope

Create step-by-step runbooks for rotating vault keys, invalidating reports, disabling plugins, preserving logs, and restoring clean state.

Acceptance Criteria

• The implementation is focused and does not introduce unrelated UI, docs, lockfile, or formatting churn.
• Security-sensitive behavior has explicit negative tests where applicable.
• Existing tests continue to pass, and new tests cover the main success and failure paths.
• Documentation or configuration examples are updated when operator behavior changes.

Verification

Docs should include verification commands and decision points for operators.

Difficulty

Hard, useful issue intended for experienced contributors.

[SaumyaT-21]

Hi @utksh1 ! I'm a GSSoC '26 contributor and I'd like to take a try at this. I'm highly interested in the security operations side of this project and am ready to put in the research time to build out a solid, step-by-step runbook with the required verification tests. Could you please assign this to me?

[aaniya22]

Please assign this issue to me under Gssoc'26

[gitsofyash]

Hi @utksh1! I'd like to work on this under GSSoC '26.

I'll create step-by-step runbooks covering:

• Vault key rotation — detection, revocation, re-encryption steps, and verification commands
• Compromised plugin handling — isolation, disabling, and audit trail preservation
• Report invalidation — identifying affected outputs and communicating impact
• Log preservation — ensuring forensic integrity before any remediation steps
• Clean state restoration — validation checks to confirm the system is safe post-incident

Each section will include decision points and verification commands for operators, scoped to local, LAN, and container deployments. I'll keep the PR tightly focused with no unrelated churn.

Please assign this to me! 🚀

[Midoriya-w]

Hey @utksh1 I'd love to write the incident response runbook for vault key rotation and compromised plugins under GSSoC 2026. Can I get assigned?

[Midoriya-w]

Hey @utksh1! Thanks for the assignment! Could you add the appropriate labels (level:critical, type:security, gssoc:approved) so this counts for GSSoC scoring?

[Midoriya-w]

Hey @utksh1 I've opened PR #317 with the full incident response runbook covers leaked vault key detection/rotation/revocation, compromised plugin isolation and audit trail, log preservation, and clean state restoration. Each section includes verification commands and decision points for operators. Ready for review!