Security Hardening¶

Operational guidance for securing ACGP stewards, policy artifacts, and governance telemetry in production.

Threat Model First¶

Before configuration, document: - Asset boundaries (steward API, policy store, audit store, key material) - Trust boundaries (agent runtime, network edges, operators) - Abuse paths (policy tampering, replay, credential theft, downgrade attacks)

Security controls should map directly to those risks.

Identity and Access Control¶

Production Trust-Binding Flow¶

Transport authenticates the calling service.
The Steward validates that service identity against the configured trust root.
The expected signing identity is checked against the trust-root authorization set.
sender_id is accepted as an application-layer field, not as the trust anchor by itself.
Governance overrides are accepted only from explicitly authorized service identities.

In production deployments, a self-asserted sender_id without authenticated service identity is not sufficient trust proof.

Steward Authentication¶

Require mTLS or signed service credentials for all steward clients.
Rotate credentials on a fixed schedule.
Reject anonymous or weakly authenticated requests.

Authorization¶

Enforce least privilege per agent identity.
Bind Governance Tier assignment to identity metadata.
Disallow self-assigned Governance Tier changes by agents.

Secret Management¶

Store credentials in a secret manager, never in source files.
Scope credentials by environment and role.
Rotate on incident, role change, and regular cadence.

Transport and Network Controls¶

Enforce TLS 1.3 for all inter-service traffic.
Use mTLS between agents and steward.
Restrict steward ingress with network policy and allowlists.
Apply request rate limits and body-size limits.
Isolate control plane and data plane network segments.

Policy and Blueprint Integrity¶

Sign policy bundles before deployment.
Verify signature and version on load.
Use immutable artifact references in production.
Require code review for threshold/tripwire changes.

Recommended controls: - Two-person approval for policy changes in Safety-Critical environments. - Version pinning for inherited blueprints. - Automated schema validation in CI before merge.

Runtime Safety Controls¶

Keep critical tripwires fail-closed.
Validate trace payloads against schema prior to evaluation.
Enforce bounded evaluation budgets to prevent resource exhaustion.
If Runtime Governance Contracts are enabled, apply per-evaluation timeout policy explicitly and log every timeout-policy event. Keep it separate from core profile-failure fallback for Steward/session-path unavailability.
In production profile, require explicit steward trust material and transport auth policy before boot.
Do not treat self-asserted sender metadata as the trust anchor; bind authenticated transport identity to the steward signing identity.
If Tier-0 fast path is enabled, also configure one of: full disablement, sampled remote verification, or minimum-Governance-Tier remote verification.
Restrict governance overrides to authenticated operator identities and audit every accepted override.

Local Tier-0 Fast Path Requires Remote Assurance¶

Local Tier-0 fast path improves latency, but it does not replace deployment trust controls.

When local approval paths are enabled, operators should also enforce one or more of: - remote sampling of approved actions - remote verification for higher Governance Tiers - incident-response controls for suppressed or missing traces

Without those controls, a compromised SDK can bypass local-only checks and suppress the visibility the remote steward depends on.

Audit and Log Protection¶

Use append-only or immutable storage for audit events.
Time-sync all components to a trusted source.
Sign or hash-chain high-integrity audit streams.
Encrypt logs at rest and in transit.
Retain access logs for administrative actions.

Storage and Persistence Posture¶

SQLite is the reference/local backend for ACGP. The SDK now ships a PostgreSQL-compatible production runtime-state backend for durable, centralized governance state and audit persistence. Advanced multi-region deployments may use a distributed SQL backend. Large evidence artifacts may be stored in object storage with database-backed metadata and retention controls.

For the shipped production-directed path, use PostgreSQL-backed runtime state plus trust-root validation, authenticated service identity binding, and Tier-0 remote-verification controls together; do not treat any one of them as sufficient in isolation.

Supply Chain and Build Security¶

Pin dependency versions and verify provenance where possible.
Run SCA/dependency vulnerability scans in CI.
Harden build runners and lock artifact publishing credentials.
Maintain SBOMs for steward and SDK deployments.

Incident Readiness¶

Prepare runbooks for: - Credential compromise - Policy tampering suspicion - Sustained abnormal intervention spikes - Steward availability loss

Runbook essentials: - Isolation steps - Credential rotation steps - Policy rollback procedure - Evidence collection checklist

Production Hardening Checklist¶

mTLS enabled for all steward endpoints
Agent identity bound to Governance Tier policy
Blueprint load path signature verification enabled
Schema validation enforced in CI and deploy pipeline
Audit logs immutable and encrypted
Secret rotation policy active
Incident runbooks tested

Minimal Example: Secure Steward Initialization¶

from acgp import GovernanceSteward, CognitiveTrace, PostgresStateStorage

steward = GovernanceSteward.production(
    blueprint_file="blueprint.yaml",
    state_storage=PostgresStateStorage(connection_string="postgresql://runtime/acgp"),
)

trace = CognitiveTrace(
    reasoning="User requested a production action",
    action="execute",
    governance_tier="GT-3",
)

Use infrastructure controls (service mesh, gateway policy, IAM) to enforce identity and transport guarantees around this runtime object.