Arxi Decision Gate Asset Core
Docs
Arxi Docs

Proof recording and tamper-evident evidence documentation.

Other product docs

Arxi Threat Model

Overview

Arxi is the deterministic evidence data plane for governance systems. It ingests unsealed boundary events, seals them into hash-chained envelopes, persists them in append-only segments, and exports verifiable bundles for offline checks.

Arxi is composed of:

  • Core contracts (arxi-core): identity, hash/signature abstractions, filter/cursor types, error algebra.
  • Envelope model (arxi-envelope): canonical encoding, envelope/segment/bundle types, verification result algebra.
  • Decision Gate integration adapter (arxi-decision-gate-adapter): deterministic MCP/runpack transcript mapping, runpack integrity policy, and transcript redaction/bounds policy enforcement.
  • Recorder runtime (arxi-recorder): ingest validation, segment lifecycle, bundle builder, offline verifier, provider/adapter implementations.
  • Storage backends (arxi-store): SQLite and in-memory implementations of envelope, attachment, and segment stores.
  • Sidecar config authority (arxi-sidecar-config): canonical sidecar config model, fail-closed validation, and deterministic config projection artifacts (schema/compat/example/docs) consumed by contract generation and CI gates.
  • Sidecar service surface (arxi-sidecar): HTTP/JSON runtime exposing recorder/query/bundle/config workflows over Unix/TCP with auth/bounds/ idempotency controls.
  • CLI surface (arxi-cli): local operator commands for record/query/bundle/ config/doctor workflows plus Decision Gate fixture ingest.

Arxi now supports both local-process workflows and a built-in sidecar HTTP service boundary. External wrappers (for example MCP bridges or API gateways) remain in-scope as hostile boundaries.

Security Goals

  • Deterministic, reproducible envelope and bundle integrity outcomes.
  • Tamper-evident append-only history with chain continuity enforcement.
  • Fail-closed behavior on malformed, missing, ambiguous, or unverifiable data.
  • Offline-verifiable bundle portability without trusted live dependencies.
  • Clear trust boundaries between adapters, recorder runtime, stores, and consumers.
  • Bounded input/resource exposure at operator entry points.
  • Strong adversary posture: designs must remain defensible against compromised insiders and nation-state-capable operators.

Non-Goals / Out of Scope

  • Confidentiality guarantees after evidence is disclosed to downstream systems.
  • Defense against full host/kernel compromise without external platform controls.
  • Key custody/HSM/remote attestation infrastructure (beyond current local key usage hooks).
  • Built-in transport security for remote deployment wrappers (mTLS/authn/authz are deployment responsibilities today).
  • Non-repudiation signing of bundle archives at rest (external signing/WORM is required).

Assets

  • Unsealed and sealed envelope data (event type, actor, environment, payload, time, correlation IDs).
  • Envelope integrity material (content_hash, chain_hash, sequence position, segment linkage).
  • Segment metadata (SegmentGenesis, predecessor linkage, seal records).
  • Attachment bytes and content hashes.
  • Bundle contents (segments, envelopes, attachments, proof anchors).
  • Verification manifests and verdict artifacts.
  • Recorder runtime configuration (recorder_id, schema version, auto-seal, startup verification depth).
  • SQLite store file and in-memory state.
  • Signing key material and derived key IDs when signers are configured.
  • Persisted signer-rotation state (store_meta keys for current key, epoch, and last rotation event marker).
  • Generated contract artifacts under Docs/generated/arxi/** and manifest authority Docs/generated/arxi/index.json, including sidecar API artifacts (Docs/generated/arxi/apis/sidecar.*) and sidecar config artifacts (Docs/generated/arxi/config/sidecar.*).
  • CLI artifacts (selector JSON, payload JSON, attachment file/inline payloads, Decision Gate fixture JSON, config JSON, bundle JSON).
  • Container deployment artifacts and runtime bind mounts (Dockerfile image outputs, compose/env definitions, mounted sidecar config/token/data/run paths).

Adversary Model

  • Nation-state adversaries with full code visibility and long-term persistence.
  • Untrusted adapters/clients submitting malicious envelopes or attachments.
  • Compromised insiders with write access to config, binaries, or storage.
  • Attackers tampering with on-disk SQLite data, bundle files, or exported artifacts.
  • Attackers attempting replay, chain forking, payload mutation, or attachment substitution.
  • Attackers inducing resource exhaustion via oversized or expensive inputs.
  • Malicious integrators exposing Arxi via remote transports without sufficient access controls.

Trust Boundaries

  • Adapter ingest boundary: UnsealedEnvelope and attachment data are untrusted.
  • CLI/operator boundary: all command-line values and JSON files are untrusted.
  • Runtime config boundary: config file contents and store path are untrusted.
  • Sidecar HTTP boundary: request line, headers, auth token, JSON body, and transport metadata are untrusted.
  • Storage boundary: persisted rows/blobs are untrusted on read.
  • Bundle boundary: imported bundle JSON is untrusted before verification.
  • Evidence provider boundary: consumer calls to list/fetch/verify/query are untrusted requests.
  • Decision Gate adapter boundary: Decision Gate transcript/runpack fixture payloads are untrusted and must pass mapping/integrity checks before ingest.
  • Signing boundary: signer/verifier integrations and key management are external trust dependencies.
  • Contract generation boundary: generated projection artifacts are untrusted until hash-verified against canonical index manifest.
  • External wrapper boundary: any network-facing bridge is outside this repo and must enforce authn/authz and transport protections.
  • Container-orchestration boundary: compose/env/runtime mount definitions and host filesystem ownership/permission models are untrusted deployment inputs and must satisfy sidecar token/config hardening constraints.

Entry Points and Attack Surfaces

  • CLI commands: recorder segment open|seal|status|list, recorder signer rotate, recorder envelope record|record-with-attachments, query envelopes, bundle build|verify|inspect, contract generate|check, decision-gate ingest-fixture, config validate, doctor.
  • Sidecar commands: arxi-sidecar --config <path>, arxi-sidecar healthcheck --url <url>, arxi-sidecar healthcheck --unix-socket <path> --path <path>.
  • Sidecar HTTP routes: GET /health, GET /startup, GET /ready, POST /v1/segments, POST /v1/segments/seal, GET /v1/segments, GET /v1/segments/active, POST /v1/envelopes, POST /v1/envelopes/with-attachments, POST /v1/query/envelopes, POST /v1/bundles/build|verify|inspect, GET /v1/config.
  • File inputs: runtime config JSON/TOML, payload JSON/file, attachment file/inline base64, Decision Gate fixture JSON, selector JSON, bundle JSON.
  • Container deployment inputs: docker/sidecar/Dockerfile, docker/sidecar/docker-compose.yml, docker/sidecar/.env, mounted sidecar.toml, mounted token file, and bind-mounted data/run directories.
  • Library APIs: RecorderAdapter::emit_envelope, RecorderAdapter::emit_with_attachments, DecisionGateAdapter::ingest_fixture, RecorderEngine::open_segment|record_envelope|seal_segment, EvidenceProvider::list_bundles|fetch_bundle|verify_bundle|query_envelopes.
  • Storage entry points: SQLite DB creation/open, SQL row materialization, attachment fetch, genesis decode.
  • Bundle verification pipeline: manifest validation, attachment hash checks, content/chain checks, cross-segment checks, signature phase.

Security Controls and Invariants

  • Canonical JCS encoding for deterministic hash inputs (serde_jcs).
  • Envelope content hash and chain hash formulas are explicit and stable.
  • Segment genesis anchors first-envelope chain computation.
  • Hash equality uses constant-time comparison in core/verifier/store paths.
  • Adapter/validation layer enforces fail-closed checks before recording.
  • Envelope builder enforces required fields, UTC times, deterministic attachment ref order.
  • Envelope attachment and segment-genesis constructors reject empty, blank, and control-character-bearing content_type and recorder_id inputs.
  • Recorder config validation fail-closes malformed recorder_id values at engine startup (ActorId-compatible identity shape required).
  • Core identity constructors reject blank/whitespace-only and control-character string inputs; key_id is enforced as exact lowercase hex(SHA-256(public_key_bytes)) shape (64 chars).
  • Core identity constructors enforce explicit max lengths: trace_id/session_id/actor_id/environment_id <= 256 chars, event_type/adapter_id <= 128 chars.
  • String-backed identity serde paths are constructor-validated; hostile JSON cannot bypass identifier invariants at deserialize boundaries.
  • Store append enforces open-segment and chain-continuity invariants.
  • Store segment creation enforces single-open-segment and duplicate-segment-ID fail-closed checks.
  • Store query/existence paths fail closed on storage-layer query errors instead of defaulting to permissive existence outcomes.
  • SQLite append path is transaction-scoped for atomic metadata/data updates.
  • SQLite enables WAL and foreign keys during schema initialization.
  • Bundle builder uses deterministic ordering (BTreeMap/BTreeSet) and tracks omitted parents/proof anchors.
  • Verifier executes 7 phases with trust-root-aware signature verification; it marks signature-skip only when no trust root is configured.
  • Verifier phase 1 fail-closes on manifest structural tampering (segment entry mismatches and attachment-manifest mismatches), not only version/algorithm mismatches.
  • Verifier enforces bounded-work policy before phase execution: max segments 4096, max envelopes per segment 100000, max envelopes total 200000, max attachments total 200000, max attachment refs per envelope 4096.
  • Recorder startup verification re-checks active segment read-back integrity for configured depth windows (startup_verification_depth).
  • Evidence provider enforces stable bundle IDs and true fetch-by-ID semantics for sealed segments.
  • Evidence provider enforces bounded query/materialization policy: max list_bundles and query_envelopes limit 10000, max per-segment envelope materialization 200000.
  • CLI enforces bounded file-read limits: config 1 MiB, payload 4 MiB, selector 1 MiB, bundle 32 MiB, trust root 1 MiB, attachment file/inline payload 16 MiB, Decision Gate fixture 8 MiB, signer key 64 KiB, signer passphrase material 1 KiB.
  • CLI query enforces bounded page policy: default page size 1000, max page size 10000, and deterministic cursor-based continuation contract in JSON mode.
  • CLI runtime resolution validates recorder_id using ActorId constructor semantics before command execution, including config validate parity with recorder config validation behavior.
  • CLI signer loading is profile-aware (secure default) and fail-closed on encrypted-key requirements, malformed key material, insecure opt-down misuse, and key-state mismatch in secure mode.
  • Explicit key-rotation workflow emits deterministic lifecycle events (system.adapter.key_rotated / break-glass variant) and persists idempotence markers in SQLite metadata.
  • Contract generation emits deterministic projection artifacts with manifest-hash authority and strict drift-check mode.
  • Contract generation/check fail closed on unsafe output-root filesystem entries, including symlinked roots or symlink traversal beneath the output tree.
  • Contract schema generation applies explicit runtime constraint overlays for identifier/text/hash/signature fields (including full BundleSelector variant algebra) and fails closed if expected schema pointer paths are missing.
  • Contract generation now emits sidecar API artifacts (sidecar.openapi/errors/enums/examples/compat) and generated manifest authority includes those paths.
  • Sidecar compatibility gates fail closed in CI by validating additive-only /v1 policy, enum-wire stability, error-code registry stability, and mutating-endpoint idempotency contract enforcement from generated artifacts.
  • Sidecar config validation fail-closes invalid protocol/security settings (schema/API version, transport host/port, non-loopback token requirement, signer key parseability, hard header-size cap, and numeric limit bounds) before binding listeners.
  • Sidecar middleware stack enforces server/client correlation ID handling (x-server-correlation-id, x-correlation-id, legacy x-request-id), protocol-level content-type/accept checks, aggregate header byte bounds, declared content-length bounds, bounded queue admission and in-flight concurrency, and per-request timeout fail-closed behavior.
  • Sidecar token auth compares bearer tokens in constant time and bypasses auth only for explicit probe routes (/health, /startup, /ready) or open mode.
  • Sidecar probe/readiness controls are explicit and fail closed: /health remains lightweight process liveness, /startup reports startup completion state, and /ready can enforce storage-only or storage+enterprise dependency readiness (probes.readiness_mode) with optional capacity-exhaustion fail-closed behavior (probes.ready_fail_on_admission_saturation).
  • Sidecar bounds middleware explicitly bypasses probe routes so orchestrator liveness/startup/readiness signals are observable even under admission saturation and active-request exhaustion.
  • Sidecar auth failures emit RFC 6750 WWW-Authenticate challenge metadata and sidecar errors use RFC 9457 Problem Details (application/problem+json).
  • Sidecar container packaging defaults to distroless nonroot runtime and compose profiles that require explicit UID/GID mapping and mounted hardened token/config/data paths.
  • Sidecar mutating operations enforce persistent idempotency replay/conflict semantics with store_meta-backed TTL/cap retention and deterministic request-hash scoping.
  • SQLite operation dispatch uses bounded queueing (sync_channel) with deterministic fail-closed rejection when queue capacity (4096) is saturated.
  • System tests validate tamper detection and fail-closed oversized-input behavior.
  • System tests validate external adapter-ingest coupling using OpenClaw mock event streams, including signed/unsigned verification and sequence-gap strict fail-closed vs anomaly-recording policies.
  • OpenClaw integration mapping applies deterministic sensitive-field redaction and bounded payload handling (string and JSON size limits) before immutable evidence recording.
  • System tests validate external control-plane coupling using Decision Gate MCP runpack flow fixtures, including signed/unsigned verification and runpack integrity strict fail-closed vs anomaly-recording policies, including manifest self-integrity recomputation from declared file hashes.
  • System tests validate sidecar subprocess lifecycle over real HTTP and fail-closed idempotency replay/conflict persistence across restart boundaries.
  • Decision Gate integration mapping applies deterministic transcript-field redaction and bounded payload handling (string and JSON size limits) before immutable evidence recording.
  • Production arxi-decision-gate-adapter enforces mapping-contract version checks, deterministic event IDs/timestamps, transcript redaction, bounded payload metadata, and strict-vs-anomaly runpack integrity handling.

Known current security-relevant gaps:

  • Sidecar does not include built-in TLS/mTLS; non-loopback deployments should terminate TLS and enforce client identity in a hardened front proxy/gateway.
  • Sidecar provides bounded local admission controls but not distributed/global rate limiting; deployment platforms still need caller quotas and abuse controls.

Threats and Mitigations

Authentication, Authorization, and Access Control

  • Threat: unauthorized local or remote invocation of recording/query/bundle paths.
  • Mitigation: sidecar supports explicit token mode with constant-time bearer token checks, RFC 6750 WWW-Authenticate challenge responses, and fail-closed auth misconfiguration handling; CLI remains local process invocation.
  • Residual risk: open sidecar mode is deployment-sensitive and should only be used in trusted local IPC environments; non-loopback network deployments still require gateway-layer identity and transport controls.

Input Validation and Parsing

  • Threat: malformed IDs, non-UTC times, invalid event types, malformed JSON, or ambiguous payloads.
  • Mitigation: typed ID constructors, UTC enforcement, strict event-type validation, strict key-id hex shape validation, fail-closed envelope validation, strict attachment/segment text-field validation (content_type, recorder_id), strict recorder config recorder_id validation, typed JSON parsing.
  • Mitigation: bounded file reads prevent oversized JSON ingestion at CLI boundary, including trust-root and signer-key inputs.

Evidence Integrity and Authenticity

  • Threat: payload mutation, chain forking, attachment substitution, or replayed envelopes.
  • Mitigation: canonical-hash content addressing + chain continuity checks at append and verify time.
  • Mitigation: verifier phase 1 enforces structural manifest integrity against bundle segment and attachment materialization.
  • Mitigation: strict Ed25519 verification and trust-root policy enforcement are wired in verifier phase 6.
  • Mitigation: secure-profile signer loading requires encrypted PKCS#8 key material by default and explicit opt-down for less secure dev ergonomics.
  • Mitigation: explicit key-rotation events and persisted idempotence markers preserve signing lineage continuity and crash-recovery reconciliation.
  • Residual risk: authenticity remains configuration-dependent when operators choose to verify without a trust root (explicit warning emitted).

Disclosure and Data Exposure

  • Threat: accidental over-disclosure through bundle exports and query results.
  • Mitigation: explicit operator-driven export/query commands and typed filters.
  • Residual risk: no built-in field-level redaction policy in Arxi core; wrapper layers must enforce disclosure policy.

Storage and Bundle Integrity

  • Threat: DB/file tampering, corruption, or partial writes.
  • Mitigation: SQLite WAL, transactional append, chain validation, corruption detection when parsing invalid stored rows.
  • Mitigation: bundle verification recomputes attachment/content/chain links and flags integrity failures.
  • Residual risk: bundle archives are not signed by default; use external signature and immutable storage controls for non-repudiation.

Availability and Resource Exhaustion

  • Threat: oversized config/payload/selector/bundle inputs and expensive verification workloads.
  • Mitigation: CLI hard limits on file reads; fail-closed rejection before parse.
  • Mitigation: typed errors and early rejection on invalid selectors/filters.
  • Mitigation: recorder verifier/provider APIs enforce bounded-work limits and fail closed on oversized in-memory workloads.
  • Mitigation: sidecar middleware enforces bounded header/body/content-length limits, bounded queue + active concurrency, and timeout fail-closed behavior.
  • Mitigation: SQLite operation dispatch is bounded; enqueue saturation fails closed instead of allowing unbounded memory growth.
  • Residual risk: no distributed/global rate limiter exists for sidecar or wrapper-exposed deployments; operators still need caller quotas and abuse controls.

Supply Chain and Execution Environment

  • Threat: compromised binaries/config/runtime host or malicious dependency behavior.
  • Mitigation: strict lint/no-panic posture, typed errors, deterministic contracts, and explicit architecture boundaries.
  • Residual risk: host compromise and dependency compromise require external controls (SBOM/audit/signing/hardening).

Multi-Tenant and Isolation

  • Threat: cross-tenant data exposure in shared deployments.
  • Mitigation: Arxi IDs are labels; no implicit tenant isolation claims.
  • Residual risk: shared deployments must enforce tenant-aware storage, encryption, and access control at wrapper/deployment layers.

Auditability and Observability

  • Threat: inability to prove what happened after suspected tampering.
  • Mitigation: append-only segment model, deterministic hashes, bundle manifests, offline verifier, and artifact-first system tests.
  • Residual risk: comprehensive security audit logging for remote auth decisions is wrapper-dependent.

Implementation References (Controls and Protections)

Core and Envelope Integrity

  • Canonical encoding and hash formulas: crates/arxi-envelope/src/encoding.rs.
  • Hash types, algorithm registry, constant-time equality: crates/arxi-core/src/hash.rs.
  • Identity and input-shape validation contracts: crates/arxi-core/src/identity.rs, crates/arxi-core/src/filter.rs.
  • Signature contracts and key identity model: crates/arxi-core/src/signature.rs, crates/arxi-envelope/src/signer.rs, crates/arxi-envelope/src/signature.rs.
  • Envelope/segment invariants: crates/arxi-envelope/src/envelope.rs, crates/arxi-envelope/src/segment.rs, crates/arxi-envelope/src/attachment.rs.

Recorder Runtime and Verification

  • Recorder lifecycle, chain progression, seal behavior: crates/arxi-recorder/src/engine.rs.
  • Auto-seal policy validation: crates/arxi-recorder/src/config.rs.
  • Adapter boundary validation: crates/arxi-recorder/src/validation.rs, crates/arxi-recorder/src/local_adapter.rs.
  • Deterministic bundle assembly and proof anchors: crates/arxi-recorder/src/bundle_builder.rs.
  • 7-phase verification pipeline and warning model: crates/arxi-recorder/src/verifier.rs.
  • Evidence provider boundary behavior: crates/arxi-recorder/src/evidence_provider.rs.

Integration Adapters

  • Decision Gate adapter ingestion, deterministic mapping, and fail-closed integrity-policy enforcement: crates/arxi-decision-gate-adapter/src/adapter.rs.
  • Decision Gate mapping and redaction/bounds policy defaults: crates/arxi-decision-gate-adapter/src/policy.rs.
  • Decision Gate fixture input contract: crates/arxi-decision-gate-adapter/src/model.rs.
  • Decision Gate adapter typed error algebra: crates/arxi-decision-gate-adapter/src/error.rs.

Storage

  • Storage contracts and invariants: crates/arxi-store/src/traits.rs, crates/arxi-store/src/error.rs.
  • In-memory backend behavior: crates/arxi-store/src/memory.rs.
  • SQLite initialization, WAL, FK, connection thread model: crates/arxi-store/src/sqlite/schema.rs, crates/arxi-store/src/sqlite/connection.rs, crates/arxi-store/src/sqlite/mod.rs.
  • SQLite envelope/segment/attachment operations: crates/arxi-store/src/sqlite/envelope_ops.rs, crates/arxi-store/src/sqlite/segment_ops.rs, crates/arxi-store/src/sqlite/attachment_ops.rs.

CLI and Validation Surface

  • Command routing and runtime resolution: crates/arxi-cli/src/main.rs.
  • Input hard limits and bounded file reads: crates/arxi-cli/src/main.rs.
  • Localization and deterministic output behavior: crates/arxi-cli/src/i18n.rs.
  • Contract artifact generation and drift checks: crates/arxi-contract/src/lib.rs, crates/arxi-contract/src/sidecar_api.rs, crates/arxi-contract/src/sidecar_api/openapi.rs, crates/arxi-contract/src/sidecar_api/artifacts.rs, crates/arxi-contract/src/sidecar_api/specs/mod.rs, scripts/ci/generate_all.sh.
  • Sidecar contract compatibility and optional release SLO gates: scripts/ci/sidecar_contract_gates.py, scripts/ci/sidecar_perf_gate.py.

Sidecar Service Boundary

  • Sidecar bootstrap/config and transport lifecycle: crates/arxi-sidecar-config/src/config.rs, crates/arxi-sidecar-config/src/validation.rs, crates/arxi-sidecar-config/src/validation/enterprise.rs, crates/arxi-sidecar/src/server.rs, crates/arxi-sidecar/src/shutdown.rs.
  • Sidecar auth and request-bound controls: crates/arxi-sidecar/src/middleware/auth.rs, crates/arxi-sidecar/src/middleware/bounds.rs, crates/arxi-sidecar/src/middleware/request_id.rs.
  • Sidecar idempotency and error contract: crates/arxi-sidecar/src/idempotency.rs, crates/arxi-sidecar/src/error.rs, crates/arxi-sidecar/src/contract.rs.
  • Sidecar contract conformance integration tests: crates/arxi-sidecar/tests/error_registry_contract.rs, crates/arxi-sidecar/tests/idempotency_restart.rs.
  • Sidecar container packaging and operator profile: docker/sidecar/Dockerfile, docker/sidecar/docker-compose.yml, docker/sidecar/config/sidecar.toml.

System Validation

  • Security/system tests: system-tests/tests/suites/security.rs, system-tests/tests/suites/bundle.rs, system-tests/tests/suites/persistence.rs, system-tests/tests/suites/recorder.rs, system-tests/tests/suites/sidecar.rs.
  • Docker packaging and compose-lifecycle validation: system-tests/tests/suites/sidecar_docker.rs, system-tests/tests/helpers/docker.rs.
  • Registry-driven validation contract: system-tests/AGENTS.md, system-tests/test_registry.toml.

Operational Requirements

  • Treat all deployments as hostile environments; assume compromised insiders and nation-state-capable adversaries.
  • Restrict filesystem access to store/config/bundle paths using least-privilege OS ACLs.
  • Use signed releases, dependency auditing, and host hardening for production nodes.
  • If exposing Arxi sidecar or wrapper APIs over non-loopback networks, enforce strong authn/authz, mTLS/TLS termination, and command allowlists.
  • For containerized sidecar deployments, run non-root, keep token mounts owner-only (0600 on Unix), and map host UID/GID explicitly so hardened token checks and writable data paths remain deterministic.
  • Keep CLI input limits enabled; tighten wrapper-level limits where possible.
  • Do not treat unsigned bundles as non-repudiable artifacts; apply external signing and immutable retention controls.
  • Segment tenants into isolated stores/processes unless explicit shared-tenancy controls are implemented.
  • Monitor verifier warnings (especially signature-skip and partial-segment warnings) as policy-significant outcomes.

Failure Posture

  • Fail closed on invalid or ambiguous inputs.
  • Reject appends that violate segment state or chain continuity.
  • Reject malformed config/filter/time-range definitions.
  • Mark tampered bundles as Invalid or fail verification with typed errors on manifest/infrastructure mismatches.
  • Never assume trust in persisted state without integrity re-checks.

Threat Model Delta (2026-02-08, OSS Baseline + Docker)

  • Initial Arxi repository threat model baseline added under Docs/security/threat_model.md.
  • Mapped trust boundaries, controls, and residual risks to concrete current implementation files.
  • Closed signer/runtime wiring gap with profile-aware secure defaults, bounded signer input limits, and fail-closed key-material handling.
  • Added explicit signer-rotation workflow with deterministic lifecycle events and persisted idempotence metadata.
  • Added deterministic contract-generation boundary (arxi-contract) with manifest-hash authority and drift-check controls.
  • Hardened arxi-contract output-root handling to reject symlinked roots and symlink traversal under generated artifact trees in both generate and check modes.
  • Added first-party sidecar container deployment boundary: Dockerfile/Compose/config artifacts are now explicit attack surfaces and deployment trust boundaries.
  • Added system-test Docker coverage for sidecar packaging hardening and Docker Compose lifecycle open/record/query validation.
  • Closed tracked P1 system-test security-relevant coverage gaps for selector dedup, proof-anchor semantics, cross-segment mismatch fail-closed behavior, attachment closure fail-closed behavior, and SQLite/in-memory parity.
  • Hardened arxi-core identifier validation to reject whitespace-only and control-character string identifiers and require strict 64-char lowercase hex key_id values.
  • Hardened deserialize boundaries so constrained identifier and envelope text fields cannot be instantiated from serde payloads without constructor checks.
  • Hardened arxi-recorder config and verifier boundaries: recorder startup rejects malformed recorder_id values during config validation, phase-1 verification fail-closes on manifest structural mismatches, and verifier now enforces explicit bounded-work ceilings.
  • Hardened arxi-recorder evidence-provider library boundaries with explicit fail-closed limits for list/query/materialization workloads.
  • Hardened arxi-store SQLite connection dispatch with bounded queue capacity and deterministic saturation rejection semantics.
  • Added system-test coverage for malformed identifiers, bounded CLI file input surfaces, secure signer-file policy, signer-rotation recovery/corruption behavior, contract CLI symlink safety, manifest structural tamper cases, SQLite corruption materialization failures, and single-open-segment CLI enforcement.
  • Closed all findings tracked in Docs/security/audits/OSS_launch_0.md.
  • Implemented arxi-sidecar as a built-in HTTP/JSON boundary with fail-closed config validation, request auth/bounds controls, bounded queue/concurrency controls, structured error contract, and persistent idempotency semantics; updated trust boundaries, attack surfaces, mitigations, and residual risks to reflect this runtime surface.
  • Implemented generated sidecar API artifact coverage (sidecar.openapi/errors/enums/examples/compat) with fail-closed CI compatibility gates enforcing additive-only /v1, enum-wire stability, error-code registry stability, and mutating-endpoint idempotency contracts.
  • Consolidated sidecar runtime config semantics into a dedicated arxi-sidecar-config crate and wired sidecar runtime startup to consume its typed fail-closed config validation boundary.
  • Expanded generated contract scope to include sidecar config artifacts (config/sidecar.schema.json, config/sidecar.compat.json, config/sidecar.example.toml, config/sidecar.md) emitted by arxi-contract from arxi-sidecar-config projection helpers.
  • Extended sidecar compatibility gates to fail closed on sidecar config artifact drift and cross-artifact inconsistency (schema/compat/example/docs).
  • Added sidecar integration/system validation for generated error-registry compatibility and restart-boundary idempotency replay/conflict persistence.

Threat Model Delta (2026-02-08)

  • Added enterprise sidecar boundary mode with explicit fail-closed config validation (enterprise.mode, control-plane URL/token requirements, and token-mode security requirement).
  • Added enterprise identity extraction boundary (x-tenant-id, x-principal-id, x-authn-method, optional namespace) and fail-closed admission behavior on malformed/missing identity context.
  • Added pre-handler enterprise policy gate middleware that denies protected operations when control-plane authz/quota checks are unavailable or deny.
  • Added managed-cloud writer-lease assertion gating for mutating operations (x-arxi-writer-lease=true required when configured).
  • Added explicit sidecar enterprise boundary hook emission to control-plane (/v1/enterprise/sidecar/hooks) at admission and result phases with fail-closed behavior for successful protected operations when hook export fails.
  • Result: sidecar ingress now has an additional external dependency on enterprise control-plane availability/integrity; outage or invalid responses are handled as fail-closed admission denials and successful-hook export failures are treated as fail-closed request errors.

Threat Model Delta (2026-02-08, Probe and Readiness Hardening)

  • Added explicit startup probe route (GET /startup) to sidecar entry-point inventory and probe-auth bypass policy.
  • Added fail-closed readiness dependency modes (storage_only, storage_and_enterprise) with config validation and control-plane readiness dependency checks in enterprise-enabled modes.
  • Added optional readiness fail-closed behavior when request admission/execution capacity is exhausted (request_capacity_exhausted readiness reason).
  • Added explicit probe-priority middleware behavior: /health, /startup, and /ready bypass normal auth/policy/bounds request gates to preserve orchestration observability during overload.
  • Added Docker system-test probe coverage validating containerized /startup and /ready behavior before and after segment-open lifecycle transitions.

Threat Model Delta (2026-02-08, continued)

  • Renamed enterprise boundary adapter implementation from enterprise.rs to control_plane_bridge.rs to make the trust-boundary intent explicit (control-plane bridge only; no evidence-math authority).
  • Centralized sidecar enterprise ingress/header/hook vocabulary in crates/arxi-sidecar/src/contract.rs and wired middleware/bridge paths to those constants to reduce drift-induced policy bypass risk.
  • Added conformance tests to ensure sidecar operation labels, identity headers, and hook boundary/outcome labels remain synchronized with control-plane contract vocabulary.
  • Added cross-repo end-to-end enterprise lane coverage proving control-plane deny decisions fail closed at sidecar mutation boundaries while successful admitted paths preserve deterministic evidence verification outcomes.

Threat Model Delta (2026-02-08, CLI OSS Expansion)

  • Added CLI operator command recorder envelope record-with-attachments with fail-closed attachment boundary validation for file and inline base64 inputs.
  • Added CLI operator command decision-gate ingest-fixture that routes fixture inputs through production arxi-decision-gate-adapter integrity and mapping policies.
  • Added CLI runtime config parity checks so malformed recorder_id values fail closed during config validate using the same identity-shape constraints as recorder runtime.
  • Expanded CLI auto-seal boundary to include duration and combined policies, with fail-closed zero-value rejection for both count and duration thresholds.
  • Added CLI query page bounds (default 1000, max 10000) and deterministic JSON pagination contract (envelopes + next_cursor) to prevent unbounded materialization at operator boundary.