Skip to content

Security & Threat Model

Verifiable trust. Zero-trust defaults. Post-quantum resilience.

Profile: Zero Trust · Defense-in-Depth · Assume Compromise · Standard: Standard-817 · SOSL v1.0 · Last review: 2025-09-07

Security Principles

Least Privilege

All services, users, and instruments operate with the minimum permissions required; privilege boundaries are enforced via typed capabilities on the Sovereign Genesis Bus.

Exploit Transparency

Attestations are public-by-default. Tamper-evidence and lineage (Merkle-DAG) convert covert failure into auditable signals.

Composable Verification

Every control emits machine-verifiable proofs (ZKChronoSeal™, ΔΣ overlays), allowing independent verifiers to reconstruct trust.

Threat Taxonomy (STRIDE × Fabric)

CategoryExamplesPrimary Countermeasures
SpoofingImpersonation of instruments, key theftCSG-1 identities, PQ signatures, mutual attestation, mTLS, key pinning
TamperingState manipulation, build pipeline editsMerkle-DAG lineage, SLSA-3+ provenance, immutability windows, 4-eyes merge
RepudiationAction denialNon-repudiable attestations, time-sealed proofs (ZKChronoSeal™)
Information DisclosurePII exfiltration, linkabilityTokenization, field-level encryption, GhostFrame™ epochs, UCL consent
DoSResource exhaustion, policy engine floodsRate-limits per identity, proof-of-work tickets, surge isolation, circuit breakers
Elevation of PrivilegeAbusing admin APIsMFA + WebAuthn, just-in-time roles, M-of-N approvals for sensitive ops

Controls Matrix (Prevent · Detect · Respond)

Prevent

  • Post-quantum sigs (Dilithium), KEM (Kyber), hash (SHA-3/Shake)
  • SLSA-3+ builds, SBOM, dependency allow-lists
  • Policy Guard inline checks; UCL consent gates
  • Secrets: per-env envelopes, age/Tink, KMS + HSM roots

Detect

  • Attestation stream analytics (ΔΣ anomalies)
  • Supply-chain drift alerts (SBOM diff)
  • Behavioral thresholds (Sovereign Breach Index)

Respond

  • InfinityWipe™ nullification & key rotation rituals
  • Quarantine shards, policy overrides with M-of-N
  • Public disclosure bundles & post-mortem proofs

Post-Quantum Cryptography & Key Management

Algorithms

  • Signatures: CRYSTALS-Dilithium (level-3/5)
  • KEM: CRYSTALS-Kyber (level-3/5)
  • Fallback: SPHINCS+ for constrained contexts
  • Hashing: SHA-3/Keccak, BLAKE3 for local ops

Key Lifecycle

  • Root keys in HSM; service keys rotated ≤ 90 days
  • Hardware-bound WebAuthn for human actors
  • Deterministic derivation per instrument/tenant
  • Dual-control ceremonies for custodial secrets

Supply Chain Integrity (SLSA · SBOM)

Build & Provenance

  • Hermetic builds, pinned toolchains, reproducible releases
  • Provenance attestations attached to artifacts
  • Mandatory code review (4-eyes) and required checks

SBOM & Dependencies

  • SBOM per artifact (CycloneDX)
  • Allow-list packages; ban post-install scripts
  • Automated diff alarms on SBOM drift

Privacy & Data Lifecycle

PhaseControlsProofs
CollectionUCL consent; purpose bindingConsent receipts, signed intents
StorageEncryption at rest, field tokenizationKMS envelopes, key attestations
AccessABAC/RBAC + JIT, M-of-N for sensitiveAccess proofs, ΔΣ risk overlays
TransfermTLS + PQ; policy-aware routingRouting proofs, jurisdiction tags
DeletionInfinityWipe™ with lineage breakNullification proofs, audit trail

Incident Response (IR) & SEV Handling

Severity Model

  • SEV-0: Critical sovereignty breach (public nullification)
  • SEV-1: Key compromise or active exploit
  • SEV-2: Degradation, suspicious lineage

Golden Hour Playbook

  • Quarantine → attest → rollback/rotate
  • Engage M-of-N approvers for policy overrides
  • Publish public proof bundle within 24h

Post-Incident

  • Root cause with ΔΣ correlation
  • Update controls; regression attestations
  • Community disclosure per SOSL

Interactive Risk Model

Score: 9 (Medium)

Risk Register

#LikelihoodImpactScoreCategory

Security Headers & CSP Generator

Content Security Policy


            

            

              
HSTS & Misc Headers

              
Recommended:

              
    
                
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
    • 
                
  • X-Content-Type-Options: nosniff
    • 
                
  • X-Frame-Options: DENY (or CSP frame-ancestors)
    • 
                
  • Referrer-Policy: strict-origin-when-cross-origin
    • 
                
  • Permissions-Policy: limit sensors, camera, microphone
    • 
              

            

          

          

        


        
        

          
Vulnerability Disclosure & Bounty (Public Beta)

          

            

              
How to Report

              
    
                
  • Email: security@constitutionfabric.org (PGP preferred)
    • 
                
  • PGP Key: keyid: 0xCF817SNF (armored on /contact)
    • 
                
  • Response SLA: triage in 3 business days; fix ETA per severity
    • 
              

            

            

              
Safe Harbor

              
Good-faith research under this policy will not trigger legal action; avoid privacy violations, service disruption, and data exfiltration.

            

          

          

        


        
        

          
Generate /.well-known/security.txt

          

            

              
              
              
              
              
              
              

                
                
              

              

            

            

              
robots for Sensitive Areas

              
Block crawlers for /internal/ and /.well-known/ where appropriate.

              
User-agent: *
Allow: /
Disallow: /internal/
Disallow: /.well-known/private/
Sitemap: https://constitutionfabric.org/sitemap.xml

            

          

          

        


        
        

          
Hardening Checklist

          

            

              
Platform

              
    
                
  • Kernel lockdown; auditd + immutable logs
    • 
                
  • Time sync via signed sources
    • 
                
  • Disk encryption (LUKS/FileVault)
    • 
              

            

            

              
Network

              
    
                
  • Zero-trust overlay; per-service mTLS + PQ
    • 
                
  • Ingress WAF + rate limits + circuit breakers
    • 
                
  • eBPF telemetry with drop-on-unknown
    • 
              

            

            

              
Application

              
    
                
  • CSP, HSTS, sameSite=strict cookies
    • 
                
  • Authz: ABAC + contextual risk (SBI)
    • 
                
  • Secrets from KMS only; no env plain-text
    •