Phase 1 Sprint 1.1 - Secure Telemetry Gateway

Threat Model

• Asset: inbound telemetry stream integrity and service-to-service trust boundary.
• Trust boundary: private telemetry gateway network and authenticated ingest endpoint.
• Adversary: forged service client, replay actor, unauthorized internal caller.

Attack Vectors Considered

• Unauthenticated telemetry POST calls.
• Caller identity spoofing without mTLS client certificate.
• Certificate substitution attack against expected producer identity.
• Unsigned payload submission and signature forgery.
• Nonce replay with reused signed requests.

Mitigations Implemented

• New internal-only gateway service: services.telemetry_gateway.main.
• Mandatory mTLS identity header gate (X-Client-Cert-Sha256).
• Certificate pinning against trusted service identity certificate fingerprints.
• Mandatory Ed25519 payload signature validation via pinned public key (VV_TG_SPECTRASTRIKE_ED25519_PUBKEY).
• Strict timestamp skew validation (default 30s).
• Nonce replay guard with TTL enforcement.
• Runtime returns fail-closed responses for missing/invalid security controls.

Residual Risk

• Current replay cache is in-memory and not shared across instances.
• mTLS signal is represented by trusted header contract from upstream TLS terminator.

Future Improvements

• Move replay cache to Redis for multi-instance consistency.
• Bind gateway ingress to dedicated mTLS reverse proxy with direct certificate extraction.
• Add hardware-backed key lifecycle management for producer signing keys.