Full Federation Integration
Trust Model
- Explicit trust anchors: certificate pin map + Ed25519 public keys.
- No shared symmetric feedback secrets.
- Tenant mapping is mandatory before persistence.
Threat Model
- Signature forgery
- Payload tampering
- Replay attacks
- Cross-tenant spoofing
- Redirect abuse and downgrade attempts
Cryptographic Flows
- SpectraStrike signs payloads with Ed25519.
- Gateway verifies signatures and anti-replay constraints.
- Gateway signs feedback response with active Ed25519 feedback key.
- SpectraStrike verifies response by
kidkeyring.
mTLS Handshake Flow
- Client cert required.
- Service identity asserted by header.
- Cert fingerprint must match identity allowlist.
- Violations fail with
401.
Signing Flow
- Ingress signing input:
timestamp.nonce.raw_body. - Feedback signing input:
tenant|signed_at|nonce|schema|kid|canonical_data. - Signature algorithm:
Ed25519.
Attestation Propagation
attestation_measurement_hash is validated and preserved through ingest, cognitive graph records, feedback adjustments, and policy decision input.
Policy Engine Binding
Feedback adjustments bind to execution fingerprints and attestation hashes. Unverified adjustments are not applied.
Replay Protection Model
- Timestamp skew checks
- Nonce one-time registration with TTL
- Repeat nonce is hard-failed
Failure Modes
- Invalid signature: reject
- Unknown key id (
kid): reject - Schema mismatch: reject
- Mapping violation: reject
- Replay nonce: reject
Audit Logging Model
- Accept/reject events include request id and reason.
- Cognitive graph and feedback issuance events are recorded.
- Host smoke logs are persisted under SpectraStrike audit path.
Production Deployment Considerations
- Use HSM/Vault-backed key management.
- Rotate mTLS and Ed25519 keys on schedule.
- Separate signing domains per tenant for high-scale deployments.
- Mirror audit logs into immutable external storage.