Security Model

Defense in Depth

Layer 7: Application Security
├── Input validation
├── Rate limiting
└── Audit logging

Layer 6: Authentication & Authorization
├── Post-quantum certificates (Dilithium-5)
├── Continuous session verification (Pulse)
└── Attribute-based access control (ABAC)

Layer 5: Cryptographic Protection
├── Post-quantum key exchange (Kyber-1024)
├── AES-256-GCM tunnel encryption
└── HMAC-SHA3-256 token integrity

Layer 4: Network Security
├── mTLS for all internal service communication
├── Kubernetes network policies
└── Firewall rules (UDP 4600 only external surface)

Layer 3: Infrastructure Security
├── Pod security policies (non-root, read-only filesystem)
├── Kubernetes RBAC
└── Secret encryption at rest

Trust Boundaries

┌─ Internet (Untrusted) ────────┬─ Gateway DMZ ────────┬─ Cluster (Trusted) ──┐
│                                │                      │                       │
│  Agents ↔ Gateway              │  Gateway ↔ Control   │  Service ↔ Service    │
│  UDP 4600                      │  gRPC 50051-50053    │  Service Mesh mTLS    │
│  Post-quantum encrypted        │  mTLS certificates   │  Network policies     │
│                                │                      │                       │
└────────────────────────────────┴──────────────────────┴───────────────────────┘

HSM Integration

Production deployments should protect CA keys with Hardware Security Modules:

Provider	Integration Method
AWS CloudHSM	Native
Azure Dedicated HSM	PKCS#11
Google Cloud HSM	Cloud KMS
Thales Luna	PKCS#11
YubiHSM 2	Native (small deployments)

Audit Logging

All security events are emitted as structured JSON with full context:

{
  "timestamp": "2024-01-15T10:30:45.123Z",
  "event_type": "authentication.success",
  "severity": "info",
  "actor": {
    "type": "agent",
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "name": "alice-laptop"
  },
  "action": "authenticate",
  "resource": {
    "type": "session",
    "id": "sess_xyz789"
  },
  "outcome": "success",
  "context": {
    "source_ip": "192.168.1.100",
    "user_agent": "avon-agent/1.0.0",
    "certificate_fingerprint": "SHA256:abc123..."
  }
}

Incident Response

Revoke a compromised agent immediately:

curl -X POST https://admin.avon.example.com/api/v1/agents/{id}/revoke 
  -H "Authorization: Bearer $TOKEN" 
  -d '{"reason": "compromised", "immediate": true}'

Emergency CA key rotation:

kubectl exec -n avon avon-ca-0 -- 
  avon-ca emergency-rotate --reason "key compromise"

Terminate all active sessions:

curl -X POST https://admin.avon.example.com/api/v1/sessions/terminate-all 
  -H "Authorization: Bearer $TOKEN"