Security architecture
fluxrig is engineered for the most hostile network environments (Zero Trust) and the most sensitive data workloads (e.g., PCI-DSS, HIPAA). Our security model relies on Signal Isolation and Sovereign Identity, ensuring that the integrity of the transactional hot-path is never compromised.
Signal isolation (Inbound Zero)
To protect the infrastructure from external threats, we implement a strict "Inbound Zero" policy for the management plane.
Invisible infrastructure
By moving all orchestration and management logic to an outbound-only tunnel, fluxrig removes standard vectors (SSH, HTTP, SNMP) as public entry points. This dramatically reduces the network attack surface, making the Rack effectively invisible to external scans.
- Snake Tunnel: All control signals (registry updates, orchestration) and telemetry travel via a persistent, outbound-only mTLS connection to the Mixer.
- Data Plane Isolation: The Rack only opens listening ports explicitly defined by its I/O Gears (e.g., a specific TCP socket for protocol ingestion). These ports are strictly isolated from the Rack internal administration and telemetry bus.
The Identity Registry (UCP)
The Identity Registry is the foundation of the Unified Control Plane. It maintains the definitive mapping of all Racks, Gears, and Wires in the cluster, ensuring that every signal is cryptographically tethered to a verified entity.
The Snake Tunnel (mTLS)
The Snake Tunnel is a Sovereign Handshake that enforces 100% mutual identity:
- Identity Minting: The Mixer functions as the Cluster CA, issuing short-lived, cryptographically-locked certificates to Racks.
- Mutual Authentication: Both the Rack and Mixer must provide valid Ed25519-backed credentials.
- Multiplexed Signaling: The Snake functions as a multiplexed pipe, allowing hundreds of independent logical streams to travel over a single physical connection without head-of-line blocking.
- Bypass Prevention: Any signal entering the Mixer without a valid, signed Snake certificate is rejected at the transport layer.
Sovereign identity (The Passport)
To ensure operational continuity during network partitions, fluxrig utilizes a Sovereign Identity model.
- The Passport (
state.flux): The Rack does not require a real-time connection to the Mixer to verify its own integrity. It holds a signed state bundle (The Passport) on-site. - Cluster Authority: The root of trust is the Cluster Authority Key. In v0.4.5-dev+e5eff62, this is a file-based Ed25519 keypair.
- Immutable Integrity: On boot, the Rack loads its Passport and verifies the internal configuration signature against the cluster public key.
- Safe Rollback: If a new configuration from the Mixer fails a signature check or causes a bootstrap error, the Rack automatically rolls back to the previous known-good state in its local storage.
Security roadmap: institutional hardening
To maintain 100% technical honesty and audit readiness, we distinguish between standard primitives available in v0.4.5-dev+e5eff62 and institutional features scheduled for v0.5.0+.
Deterministic masking (Planned v0.5.0+)
Unlike heuristic-based masking solutions, fluxrig intends to implement Deterministic Masking based on the absolute structure of the data:
- SDL Precision: Fields are tagged as
sensitivein the Spec Definition Language (SDL). - Edge Tokenization: The Rack identifies the sensitive value and swaps it for a transient session token.
- Auditable Hot-Path: Downstream gears and telemetry sinks only see the token, isolating clear-text data.
HSM and Cloud KMS integration (Planned v0.5.0+)
While v0.4.5-dev+e5eff62 uses secure file-based keys, the roadmap includes native integration with:
- Cloud KMS: AWS KMS and Google Cloud KMS for cluster authority root-of-trust.
- Hardware Security Modules (HSM): Support for PKCS#11 and HashiCorp Vault transit engines.
Secure execution sandboxing (Planned v0.5.0+)
- Wasm Logic Gears: Execution in a sandboxed runtime with no access to host syscalls or networks unless bridged via authorized I/O Gears.
- Resource Budgeting: Enforcement of CPU and memory limits per-Gear.
Security roadmap and compliance
| Feature Area | v0.4.5-dev+e5eff62 Status | Implementation Strategy |
|---|---|---|
| mTLS Tunnel | Available | Outbound Snake Tunnel (TLS 1.2+ Baseline). |
| Sovereign ID | Available | Signed State Envelopes (state.flux). |
| Field Masking | Planned | Deterministic PII scrubbers (v0.5.0+). |
| Cloud KMS | Planned | AWS/Google KMS integration for Authority keys. |
| Wasm Execution | Planned | Sandboxed execution runtime (v0.5.0+). |
| Audit Logging | Available | Local CBOR WAL + DuckDB Registry. |
| Binary Signing | Planned | Supply chain trust via Sigstore/Cosign. |
| SBOM Generation | Planned | Automated CycloneDX generation per release. |
IMPORTANT
Institutional Compliance: While fluxrig provides the primitives for PCI-DSS and SOC 2 compliance, organizations are responsible for their internal audits. We recommend signing your compiled binaries before production deployment to maintain supply chain integrity.