Skip to main content
Version: v0.9.0a2
Spec

Spec-10-Hardening

2 min readSpec contributor · Node operatorDraft · v0.9.0aN

What this spec defines

Baseline operational hardening requirements: transport security, key rotation posture, rate limits and quotas, and container runtime baseline.

Extraction status

This file contains the ADR-010 prose extraction for supported hardening expectations. Replay windows are owned by Spec-11-Replay-Protection; audit record shape is owned by Spec-09-Audit-Log.

Federation transport

Federation deployments SHOULD use mutually authenticated TLS. When mTLS is enabled, nodes MUST validate peer certificates against the configured trust policy and MUST reject peers whose certificate identity does not match the registered peer relationship.

Development deployments MAY use non-mTLS transport only when clearly configured as non-production.

Key rotation

Federation and manifest signing keys SHOULD support rotation without downtime. Rotation procedures MUST preserve a dual-trust period long enough for peers to refresh manifests and reject stale keys. Rotation events SHOULD be auditable and published through configured transparency-log evidence when available.

Quotas and rate limits

Nodes SHOULD enforce per-principal quotas for write-heavy and security-sensitive operations, including fact asserts, federation ingestion, token issuance, and admin exports.

Rate-limit responses SHOULD be explicit and machine-readable. Implementations SHOULD avoid revealing sensitive state in rate-limit errors.

Container baseline

Production container images SHOULD:

Run as non-root

A non-root user with minimal privileges.

Minimize installed packages

Avoid shells and build tooling in the production layer.

Read-only root filesystem

Where practical.

Declare health checks

Publish SBOM / provenance evidence

When supported by the release process.

Avoid embedded secrets

No runtime secrets in image layers.

Configuration boundaries

Production deployment templates SHOULD prefer the stricter setting.

Operators MAY relax some hardening settings in local development. Production templates SHOULD prefer the stricter setting and require explicit operator action to weaken it.

Out of scope

This spec does not define replay nonce windows, CID integrity, vulnerability reporting policy, or external infrastructure such as hosted transparency logs.