Phase 1 Sprint 1.1 - Service Bootstrapping

Objective

Bootstrap a private telemetry gateway service with strict service authentication and certificate pinning controls.

Deliverables

• Internal gateway service package under services/telemetry_gateway/.
• mTLS identity enforcement and cert fingerprint pinning.
• Mandatory Ed25519 signature verification for telemetry payloads.
• Anti-replay nonce guard and clock-skew checks.
• Private compose service with internal-only network (telemetry_private).
• Security regression test suite for gateway hardening controls.

Exit Criteria

• Gateway is not publicly exposed.
• Gateway rejects requests without valid pinned client certificate fingerprint.
• Gateway rejects unsigned or invalidly signed telemetry.
• Gateway rejects replay attempts.