Inactu Control
ContactInspect Source

Security

Security controls mapped to concrete implementation artifacts.

Use this page as an evidence index. Each control domain points to repository documents or contracts you can inspect directly.

Controls Matrix

Control objectives, implementation, and evidence

Control domain

Implementation expectation

Evidence artifact

Trust boundary definition

Execution substrate scope is explicit; avoid orchestration or model-runtime ambiguity.

inactu/README.md

API contract integrity

Endpoints and schemas are explicit and versioned; no undocumented behaviors.

openapi.yaml

Cryptographic verification

Manifest and receipt verification paths are deterministic and testable.

docs/getting-started.md

Compatibility governance

Schema and behavior changes follow explicit compatibility policy.

spec/compatibility.md

Threat-model alignment

Assumptions and non-goals are documented before production adoption.

spec/threat-model.md

Conformance assurance

Release gates include vector-driven conformance and verification checks.

spec/conformance.md

Operational hardening checklist

  • Terminate TLS at the edge and enforce authn/authz before forwarding to the API.
  • Keep signing keys and trust-anchor material in managed KMS/HSM, outside the service process.
  • Treat all inbound payloads as untrusted with strict schema and size controls.
  • Capture request IDs and deterministic error payloads for incident reconstruction.

Evidence-first review flow

  • Run quickstart checks and verify endpoint determinism.
  • Review threat model and compatibility policies against your risk register.
  • Validate key lifecycle, IAM boundaries, and logging retention controls.
  • Gate rollout on reproducible conformance checks in CI/CD.