Cradicle Explorer
alpha-delta-context
/ infra / machine / security.cspec
security.cspec
  1  # Security Framework
  2  # purpose: Threat model, security requirements, audit procedures
  3  # status: draft
  4  # updated: 2026-01-05
  5  
  6  # === THREAT MODEL ===
  7  threat_model:
  8    actors:
  9      external_attacker: Unauthorized network access, exploit attempts
 10      malicious_validator: Colluding or byzantine validator nodes
 11      compromised_user: Stolen keys, phished credentials
 12      insider_threat: Rogue admin, supply chain compromise
 13  
 14    attack_vectors:
 15      network:
 16        - ddos: Rate limiting, geographic distribution
 17        - mitm: TLS 1.3 required, certificate pinning
 18        - eclipse: Minimum peer diversity requirements
 19      consensus:
 20        - 51_percent: BFT requires 2/3+1, stake distribution monitoring
 21        - long_range: Checkpointing, finality gadget
 22        - nothing_at_stake: Slashing conditions
 23      smart_contracts:
 24        - reentrancy: Checks-effects-interactions pattern
 25        - overflow: Safe math, bounded types
 26        - oracle_manipulation: TWAP, multi-source validation
 27      infrastructure:
 28        - ssh_bruteforce: Key-only auth, fail2ban
 29        - supply_chain: Reproducible builds, signed releases
 30        - secret_leak: Secrets management, rotation
 31  
 32  # === SECURITY REQUIREMENTS ===
 33  requirements:
 34    authentication:
 35      validator_keys: Ed25519, hardware security modules recommended
 36      admin_access: SSH key-only, 2FA for web interfaces
 37      api_auth: JWT with short expiry, refresh token rotation
 38  
 39    encryption:
 40      in_transit: TLS 1.3 minimum, HTTP/2
 41      at_rest: LUKS for sensitive volumes
 42      keys: Never in git, environment variables or secrets manager
 43  
 44    network:
 45      firewall:
 46        ingress: Explicit allow-list only
 47        egress: Restrict to required destinations
 48      ports:
 49        public: [80, 443] (via Caddy only)
 50        validator_p2p: 4130 (alpha), 4131 (delta)
 51        internal: VPC only
 52  
 53    access_control:
 54      principle: Least privilege
 55      admin_users: Named accounts, no shared credentials
 56      service_accounts: Scoped permissions, rotate quarterly
 57  
 58    logging:
 59      retention: 90 days minimum
 60      sensitive_data: Never log keys, passwords, PII
 61      integrity: Append-only, forward to SIEM
 62  
 63  # === AUDIT REQUIREMENTS ===
 64  audit:
 65    code_audit:
 66      scope: [alphavm, deltavm, adnet, acdc-core]
 67      frequency: Before mainnet, annually after
 68      type: Professional third-party audit
 69      critical_areas:
 70        - consensus_logic
 71        - cryptographic_implementations
 72        - cross_chain_messaging
 73        - token_economics
 74  
 75    penetration_testing:
 76      frequency: Quarterly
 77      scope: All public endpoints, validator nodes
 78  
 79    dependency_audit:
 80      tool: cargo audit
 81      frequency: Weekly CI, before releases
 82      action: Block release on CRITICAL CVEs
 83  
 84  # === VULNERABILITY DISCLOSURE ===
 85  vulnerability_disclosure:
 86    policy: Responsible disclosure
 87    contact: security@ac-dc.network
 88    pgp_key: (to be published)
 89    response_sla:
 90      acknowledgment: 24h
 91      triage: 72h
 92      critical_patch: 7d
 93    bounty_program: Planned for mainnet
 94  
 95  # === KEY MANAGEMENT ===
 96  key_management:
 97    validator_keys:
 98      generation: Air-gapped machine or HSM
 99      storage: Hardware wallet or HSM
100      backup: Encrypted, geographically distributed
101      rotation: Not routine (only on compromise)
102  
103    operational_keys:
104      ssh: Generate per-machine, revoke on decommission
105      tls: Let's Encrypt auto-renewal via Caddy
106      api_secrets: Rotate quarterly, on personnel change
107  
108    secrets_storage:
109      production: HashiCorp Vault (recommended)
110      development: Environment variables, .env files (gitignored)
111  
112  # === INCIDENT CLASSIFICATION ===
113  incident_severity:
114    P0_critical:
115      examples: [active_exploit, key_compromise, consensus_failure]
116      response: Immediate, all-hands
117      notification: Within 1 hour
118    P1_high:
119      examples: [vulnerability_discovered, service_degradation]
120      response: Same business day
121      notification: Within 4 hours
122    P2_medium:
123      examples: [suspicious_activity, policy_violation]
124      response: Within 48 hours
125    P3_low:
126      examples: [minor_misconfiguration, documentation_gap]
127      response: Next sprint
128  
129  # === HARDENING CHECKLIST ===
130  hardening:
131    servers:
132      - [ ] SSH key-only authentication
133      - [ ] Fail2ban installed and configured
134      - [ ] Automatic security updates enabled
135      - [ ] UFW/iptables firewall enabled
136      - [ ] Non-root service accounts
137      - [ ] Audit logging enabled
138  
139    applications:
140      - [ ] Debug mode disabled in production
141      - [ ] Error messages don't leak internals
142      - [ ] Rate limiting on all endpoints
143      - [ ] Input validation on all user data
144      - [ ] CORS properly configured
145  
146    ci_cd:
147      - [ ] Secrets never in logs
148      - [ ] Build reproducibility verified
149      - [ ] Dependency scanning enabled
150      - [ ] Signed commits required for releases