1  # Security Domain Aggregate
  2  # Contains: S001-S005
  3  # Stability: stable
  4  # CASCADE: MANUAL ONLY (security changes require human review)
  5  
  6  metadata:
  7    domain: security
  8    version: 1.1.0
  9    stability: stable
 10    updated: 2026-01-16
 11    component_ids: [S001, S002, S003, S004, S005]
 12    cascade_override: never_auto  # Security domain requires manual cascade
 13    roles:
 14      primary: [Security]
 15      review: [Arch, Ops]
 16    expertise:
 17      required: [security, compliance, threat_modeling]
 18      helpful: [cryptography, auditing, incident_response]
 19    context_tags: [security, threats, audit, compliance, keys, hardening, incidents]
 20  
 21  dependencies:
 22    upstream: []
 23    downstream: []
 24  
 25  # === S001: THREAT MODEL ===
 26  S001_threat_model:
 27    metadata:
 28      id: S001
 29      name: threat_model
 30      cascade_priority: 100
 31  
 32    spec:
 33      actors:
 34        external_attacker: Unauthorized network access, exploit attempts
 35        malicious_validator: Colluding or byzantine validator nodes
 36        compromised_user: Stolen keys, phished credentials
 37        insider_threat: Rogue admin, supply chain compromise
 38  
 39      attack_vectors:
 40        network:
 41          - ddos: Rate limiting, geographic distribution
 42          - mitm: TLS 1.3 required, certificate pinning
 43          - eclipse: Minimum peer diversity requirements
 44        consensus:
 45          - 51_percent: BFT requires 2/3+1, stake distribution monitoring
 46          - long_range: Checkpointing, finality gadget
 47          - nothing_at_stake: Slashing conditions
 48        smart_contracts:
 49          - reentrancy: Checks-effects-interactions pattern
 50          - overflow: Safe math, bounded types
 51          - oracle_manipulation: TWAP, multi-source validation
 52        infrastructure:
 53          - ssh_bruteforce: Key-only auth, fail2ban
 54          - supply_chain: Reproducible builds, signed releases
 55          - secret_leak: Secrets management, rotation
 56  
 57  # === S002: TRUSTED SETUP ===
 58  S002_trusted_setup:
 59    metadata:
 60      id: S002
 61      name: trusted_setup
 62      cascade_priority: 100
 63  
 64    spec:
 65      requirements:
 66        authentication:
 67          validator_keys: Ed25519, hardware security modules recommended
 68          admin_access: SSH key-only, 2FA for web interfaces
 69          api_auth: JWT with short expiry, refresh token rotation
 70  
 71        encryption:
 72          in_transit: TLS 1.3 minimum, HTTP/2
 73          at_rest: LUKS for sensitive volumes
 74          keys: Never in git, environment variables or secrets manager
 75  
 76        network:
 77          firewall:
 78            ingress: Explicit allow-list only
 79            egress: Restrict to required destinations
 80          ports:
 81            public: [80, 443] (via Caddy only)
 82            validator_p2p: 4130 (alphaos), 4230 (deltaos)
 83            internal: VPC only
 84  
 85        access_control:
 86          principle: Least privilege
 87          admin_users: Named accounts, no shared credentials
 88          service_accounts: Scoped permissions, rotate quarterly
 89  
 90        logging:
 91          retention: 90 days minimum
 92          sensitive_data: Never log keys, passwords, PII
 93          integrity: Append-only, forward to SIEM
 94  
 95  # === S003: AUDIT REQUIREMENTS ===
 96  S003_audit_reqs:
 97    metadata:
 98      id: S003
 99      name: audit_reqs
100      cascade_priority: 100
101  
102    spec:
103      code_audit:
104        scope: [alphavm, deltavm, adnet, acdc-core]
105        frequency: Before mainnet, annually after
106        type: Professional third-party audit
107        critical_areas:
108          - consensus_logic
109          - cryptographic_implementations
110          - cross_chain_messaging
111          - token_economics
112  
113      penetration_testing:
114        frequency: Quarterly
115        scope: All public endpoints, validator nodes
116  
117      dependency_audit:
118        tool: cargo audit
119        frequency: Weekly CI, before releases
120        action: Block release on CRITICAL CVEs
121  
122      vulnerability_disclosure:
123        policy: Responsible disclosure
124        contact: security@ac-dc.network
125        response_sla:
126          acknowledgment: 24h
127          triage: 72h
128          critical_patch: 7d
129        bounty_program: Planned for mainnet
130  
131  # === S004: COMPLIANCE ===
132  S004_compliance:
133    metadata:
134      id: S004
135      name: compliance
136      cascade_priority: 100
137  
138    spec:
139      key_management:
140        validator_keys:
141          generation: Air-gapped machine or HSM
142          storage: Hardware wallet or HSM
143          backup: Encrypted, geographically distributed
144          rotation: Not routine (only on compromise)
145  
146        operational_keys:
147          ssh: Generate per-machine, revoke on decommission
148          tls: Let's Encrypt auto-renewal via Caddy
149          api_secrets: Rotate quarterly, on personnel change
150  
151        secrets_storage:
152          production: HashiCorp Vault (recommended)
153          development: Environment variables, .env files (gitignored)
154  
155      incident_severity:
156        P0_critical:
157          examples: [active_exploit, key_compromise, consensus_failure]
158          response: Immediate, all-hands
159          notification: Within 1 hour
160        P1_high:
161          examples: [vulnerability_discovered, service_degradation]
162          response: Same business day
163          notification: Within 4 hours
164        P2_medium:
165          examples: [suspicious_activity, policy_violation]
166          response: Within 48 hours
167        P3_low:
168          examples: [minor_misconfiguration, documentation_gap]
169          response: Next sprint
170  
171      hardening:
172        servers:
173          - SSH key-only authentication
174          - Fail2ban installed and configured
175          - Automatic security updates enabled
176          - UFW/iptables firewall enabled
177          - Non-root service accounts
178          - Audit logging enabled
179  
180        applications:
181          - Debug mode disabled in production
182          - Error messages don't leak internals
183          - Rate limiting on all endpoints
184          - Input validation on all user data
185          - CORS properly configured
186  
187        ci_cd:
188          - Secrets never in logs
189          - Build reproducibility verified
190          - Dependency scanning enabled
191          - Signed commits required for releases
192  
193  # === S005: EXTERNAL DEPENDENCIES ===
194  S005_external_dependencies:
195    metadata:
196      id: S005
197      name: external_dependencies
198      cascade_priority: 100
199      file: security/S005-external_dependencies.component.cspec
200  
201    summary:
202      purpose: "Comprehensive inventory of external dependencies across Alpha/Delta core"
203      categories:
204        - crypto: "Cryptographic libraries (rand, sha2, ed25519-dalek, ark-*, aes-gcm)"
205        - network: "Networking (tokio, axum, reqwest, russh)"
206        - storage: "Persistence (rocksdb)"
207        - serialization: "Data formats (serde, bincode, nom)"
208        - authentication: "Auth/JWT (jsonwebtoken)"
209        - encryption: "At-rest encryption (age, rcgen)"
210      audit_frequency:
211        critical: quarterly
212        high: annually
213        medium: on_update
214      supply_chain_mitigations:
215        - cargo-deny for license/advisory checks
216        - npm audit in CI
217        - signed releases
218        - reproducible builds
219  
220  changelog:
221    - version: 1.1.0
222      date: 2026-01-16
223      type: feature
224      description: "Added S005 external dependencies security audit"
225      breaking: false
226    - version: 1.0.0
227      date: 2026-01-07
228      type: initial
229      description: "Migrated from infra/machine/security.cspec"
230      breaking: false