provisioning/docs/book/architecture/adr/ADR-009-security-system-complete.html

<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
    <head>
        <!-- Book generated using mdBook -->
        <meta charset="UTF-8">
        <title>ADR-009: Security System Complete - Provisioning Platform Documentation</title>


        <!-- Custom HTML head -->

        <meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, Nickel, and Rust">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <meta name="theme-color" content="#ffffff">

        <link rel="icon" href="../../favicon.svg">
        <link rel="shortcut icon" href="../../favicon.png">
        <link rel="stylesheet" href="../../css/variables.css">
        <link rel="stylesheet" href="../../css/general.css">
        <link rel="stylesheet" href="../../css/chrome.css">
        <link rel="stylesheet" href="../../css/print.css" media="print">

        <!-- Fonts -->
        <link rel="stylesheet" href="../../FontAwesome/css/font-awesome.css">
        <link rel="stylesheet" href="../../fonts/fonts.css">

        <!-- Highlight.js Stylesheets -->
        <link rel="stylesheet" id="highlight-css" href="../../highlight.css">
        <link rel="stylesheet" id="tomorrow-night-css" href="../../tomorrow-night.css">
        <link rel="stylesheet" id="ayu-highlight-css" href="../../ayu-highlight.css">

        <!-- Custom theme stylesheets -->


        <!-- Provide site root and default themes to javascript -->
        <script>
            const path_to_root = "../../";
            const default_light_theme = "ayu";
            const default_dark_theme = "navy";
        </script>
        <!-- Start loading toc.js asap -->
        <script src="../../toc.js"></script>
    </head>
    <body>
    <div id="mdbook-help-container">
        <div id="mdbook-help-popup">
            <h2 class="mdbook-help-title">Keyboard shortcuts</h2>
            <div>
                <p>Press <kbd>←</kbd> or <kbd>→</kbd> to navigate between chapters</p>
                <p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
                <p>Press <kbd>?</kbd> to show this help</p>
                <p>Press <kbd>Esc</kbd> to hide this help</p>
            </div>
        </div>
    </div>
    <div id="body-container">
        <!-- Work around some values being stored in localStorage wrapped in quotes -->
        <script>
            try {
                let theme = localStorage.getItem('mdbook-theme');
                let sidebar = localStorage.getItem('mdbook-sidebar');

                if (theme.startsWith('"') && theme.endsWith('"')) {
                    localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
                }

                if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
                    localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
                }
            } catch (e) { }
        </script>

        <!-- Set the theme before any content is loaded, prevents flash -->
        <script>
            const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
            let theme;
            try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
            if (theme === null || theme === undefined) { theme = default_theme; }
            const html = document.documentElement;
            html.classList.remove('ayu')
            html.classList.add(theme);
            html.classList.add("js");
        </script>

        <input type="checkbox" id="sidebar-toggle-anchor" class="hidden">

        <!-- Hide / unhide sidebar before it is displayed -->
        <script>
            let sidebar = null;
            const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
            if (document.body.clientWidth >= 1080) {
                try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
                sidebar = sidebar || 'visible';
            } else {
                sidebar = 'hidden';
            }
            sidebar_toggle.checked = sidebar === 'visible';
            html.classList.remove('sidebar-visible');
            html.classList.add("sidebar-" + sidebar);
        </script>

        <nav id="sidebar" class="sidebar" aria-label="Table of contents">
            <!-- populated by js -->
            <mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
            <noscript>
                <iframe class="sidebar-iframe-outer" src="../../toc.html"></iframe>
            </noscript>
            <div id="sidebar-resize-handle" class="sidebar-resize-handle">
                <div class="sidebar-resize-indicator"></div>
            </div>
        </nav>

        <div id="page-wrapper" class="page-wrapper">

            <div class="page">
                <div id="menu-bar-hover-placeholder"></div>
                <div id="menu-bar" class="menu-bar sticky">
                    <div class="left-buttons">
                        <label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
                            <i class="fa fa-bars"></i>
                        </label>
                        <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
                            <i class="fa fa-paint-brush"></i>
                        </button>
                        <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
                            <li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
                            <li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
                        </ul>
                        <button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
                            <i class="fa fa-search"></i>
                        </button>
                    </div>

                    <h1 class="menu-title">Provisioning Platform Documentation</h1>

                    <div class="right-buttons">
                        <a href="../../print.html" title="Print this book" aria-label="Print this book">
                            <i id="print-button" class="fa fa-print"></i>
                        </a>
                        <a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
                            <i id="git-repository-button" class="fa fa-github"></i>
                        </a>
                        <a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/architecture/adr/adr-009-security-system-complete.md" title="Suggest an edit" aria-label="Suggest an edit">
                            <i id="git-edit-button" class="fa fa-edit"></i>
                        </a>

                    </div>
                </div>

                <div id="search-wrapper" class="hidden">
                    <form id="searchbar-outer" class="searchbar-outer">
                        <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
                    </form>
                    <div id="searchresults-outer" class="searchresults-outer hidden">
                        <div id="searchresults-header" class="searchresults-header"></div>
                        <ul id="searchresults">
                        </ul>
                    </div>
                </div>

                <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
                <script>
                    document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
                    document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
                    Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
                        link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
                    });
                </script>

                <div id="content" class="content">
                    <main>
                        <h1 id="adr-009-complete-security-system-implementation"><a class="header" href="#adr-009-complete-security-system-implementation">ADR-009: Complete Security System Implementation</a></h1>
<p><strong>Status</strong>: Implemented
<strong>Date</strong>: 2025-10-08
<strong>Decision Makers</strong>: Architecture Team</p>
<hr />
<h2 id="context"><a class="header" href="#context">Context</a></h2>
<p>The Provisioning platform required a comprehensive, enterprise-grade security system covering authentication, authorization, secrets management, MFA,
compliance, and emergency access. The system needed to be production-ready, scalable, and compliant with GDPR, SOC2, and ISO 27001.</p>
<hr />
<h2 id="decision"><a class="header" href="#decision">Decision</a></h2>
<p>Implement a complete security architecture using 12 specialized components organized in 4 implementation groups.</p>
<hr />
<h2 id="implementation-summary"><a class="header" href="#implementation-summary">Implementation Summary</a></h2>
<h3 id="total-implementation"><a class="header" href="#total-implementation">Total Implementation</a></h3>
<ul>
<li><strong>39,699 lines</strong> of production-ready code</li>
<li><strong>136 files</strong> created/modified</li>
<li><strong>350+ tests</strong> implemented</li>
<li><strong>83+ REST endpoints</strong> available</li>
<li><strong>111+ CLI commands</strong> ready</li>
</ul>
<hr />
<h2 id="architecture-components"><a class="header" href="#architecture-components">Architecture Components</a></h2>
<h3 id="group-1-foundation-13485-lines"><a class="header" href="#group-1-foundation-13485-lines">Group 1: Foundation (13,485 lines)</a></h3>
<h4 id="1-jwt-authentication-1626-lines"><a class="header" href="#1-jwt-authentication-1626-lines">1. JWT Authentication (1,626 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/control-center/src/auth/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>RS256 asymmetric signing</li>
<li>Access tokens (15 min) + refresh tokens (7 d)</li>
<li>Token rotation and revocation</li>
<li>Argon2id password hashing</li>
<li>5 user roles (Admin, Developer, Operator, Viewer, Auditor)</li>
<li>Thread-safe blacklist</li>
</ul>
<p><strong>API</strong>: 6 endpoints
<strong>CLI</strong>: 8 commands
<strong>Tests</strong>: 30+</p>
<h4 id="2-cedar-authorization-5117-lines"><a class="header" href="#2-cedar-authorization-5117-lines">2. Cedar Authorization (5,117 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/config/cedar-policies/</code>, <code>provisioning/platform/orchestrator/src/security/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>Cedar policy engine integration</li>
<li>4 policy files (schema, production, development, admin)</li>
<li>Context-aware authorization (MFA, IP, time windows)</li>
<li>Hot reload without restart</li>
<li>Policy validation</li>
</ul>
<p><strong>API</strong>: 4 endpoints
<strong>CLI</strong>: 6 commands
<strong>Tests</strong>: 30+</p>
<h4 id="3-audit-logging-3434-lines"><a class="header" href="#3-audit-logging-3434-lines">3. Audit Logging (3,434 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/audit/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>Structured JSON logging</li>
<li>40+ action types</li>
<li>GDPR compliance (PII anonymization)</li>
<li>5 export formats (JSON, CSV, Splunk, ECS, JSON Lines)</li>
<li>Query API with advanced filtering</li>
</ul>
<p><strong>API</strong>: 7 endpoints
<strong>CLI</strong>: 8 commands
<strong>Tests</strong>: 25</p>
<h4 id="4-config-encryption-3308-lines"><a class="header" href="#4-config-encryption-3308-lines">4. Config Encryption (3,308 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/core/nulib/lib_provisioning/config/encryption.nu</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>SOPS integration</li>
<li>4 KMS backends (Age, AWS KMS, Vault, Cosmian)</li>
<li>Transparent encryption/decryption</li>
<li>Memory-only decryption</li>
<li>Auto-detection</li>
</ul>
<p><strong>CLI</strong>: 10 commands
<strong>Tests</strong>: 7</p>
<hr />
<h3 id="group-2-kms-integration-9331-lines"><a class="header" href="#group-2-kms-integration-9331-lines">Group 2: KMS Integration (9,331 lines)</a></h3>
<h4 id="5-kms-service-2483-lines"><a class="header" href="#5-kms-service-2483-lines">5. KMS Service (2,483 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/kms-service/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>HashiCorp Vault (Transit engine)</li>
<li>AWS KMS (Direct + envelope encryption)</li>
<li>Context-based encryption (AAD)</li>
<li>Key rotation support</li>
<li>Multi-region support</li>
</ul>
<p><strong>API</strong>: 8 endpoints
<strong>CLI</strong>: 15 commands
<strong>Tests</strong>: 20</p>
<h4 id="6-dynamic-secrets-4141-lines"><a class="header" href="#6-dynamic-secrets-4141-lines">6. Dynamic Secrets (4,141 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/secrets/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>AWS STS temporary credentials (15 min-12 h)</li>
<li>SSH key pair generation (Ed25519)</li>
<li>UpCloud API subaccounts</li>
<li>TTL manager with auto-cleanup</li>
<li>Vault dynamic secrets integration</li>
</ul>
<p><strong>API</strong>: 7 endpoints
<strong>CLI</strong>: 10 commands
<strong>Tests</strong>: 15</p>
<h4 id="7-ssh-temporal-keys-2707-lines"><a class="header" href="#7-ssh-temporal-keys-2707-lines">7. SSH Temporal Keys (2,707 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/ssh/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>Ed25519 key generation</li>
<li>Vault OTP (one-time passwords)</li>
<li>Vault CA (certificate authority signing)</li>
<li>Auto-deployment to authorized_keys</li>
<li>Background cleanup every 5 min</li>
</ul>
<p><strong>API</strong>: 7 endpoints
<strong>CLI</strong>: 10 commands
<strong>Tests</strong>: 31</p>
<hr />
<h3 id="group-3-security-features-8948-lines"><a class="header" href="#group-3-security-features-8948-lines">Group 3: Security Features (8,948 lines)</a></h3>
<h4 id="8-mfa-implementation-3229-lines"><a class="header" href="#8-mfa-implementation-3229-lines">8. MFA Implementation (3,229 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/control-center/src/mfa/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>TOTP (RFC 6238, 6-digit codes, 30 s window)</li>
<li>WebAuthn/FIDO2 (YubiKey, Touch ID, Windows Hello)</li>
<li>QR code generation</li>
<li>10 backup codes per user</li>
<li>Multiple devices per user</li>
<li>Rate limiting (5 attempts/5 min)</li>
</ul>
<p><strong>API</strong>: 13 endpoints
<strong>CLI</strong>: 15 commands
<strong>Tests</strong>: 85+</p>
<h4 id="9-orchestrator-auth-flow-2540-lines"><a class="header" href="#9-orchestrator-auth-flow-2540-lines">9. Orchestrator Auth Flow (2,540 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/middleware/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>Complete middleware chain (5 layers)</li>
<li>Security context builder</li>
<li>Rate limiting (100 req/min per IP)</li>
<li>JWT authentication middleware</li>
<li>MFA verification middleware</li>
<li>Cedar authorization middleware</li>
<li>Audit logging middleware</li>
</ul>
<p><strong>Tests</strong>: 53</p>
<h4 id="10-control-center-ui-3179-lines"><a class="header" href="#10-control-center-ui-3179-lines">10. Control Center UI (3,179 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/control-center/web/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>React/TypeScript UI</li>
<li>Login with MFA (2-step flow)</li>
<li>MFA setup (TOTP + WebAuthn wizards)</li>
<li>Device management</li>
<li>Audit log viewer with filtering</li>
<li>API token management</li>
<li>Security settings dashboard</li>
</ul>
<p><strong>Components</strong>: 12 React components
<strong>API Integration</strong>: 17 methods</p>
<hr />
<h3 id="group-4-advanced-features-7935-lines"><a class="header" href="#group-4-advanced-features-7935-lines">Group 4: Advanced Features (7,935 lines)</a></h3>
<h4 id="11-break-glass-emergency-access-3840-lines"><a class="header" href="#11-break-glass-emergency-access-3840-lines">11. Break-Glass Emergency Access (3,840 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/break_glass/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li>Multi-party approval (2+ approvers, different teams)</li>
<li>Emergency JWT tokens (4 h max, special claims)</li>
<li>Auto-revocation (expiration + inactivity)</li>
<li>Enhanced audit (7-year retention)</li>
<li>Real-time alerts</li>
<li>Background monitoring</li>
</ul>
<p><strong>API</strong>: 12 endpoints
<strong>CLI</strong>: 10 commands
<strong>Tests</strong>: 985 lines (unit + integration)</p>
<h4 id="12-compliance-4095-lines"><a class="header" href="#12-compliance-4095-lines">12. Compliance (4,095 lines)</a></h4>
<p><strong>Location</strong>: <code>provisioning/platform/orchestrator/src/compliance/</code></p>
<p><strong>Features</strong>:</p>
<ul>
<li><strong>GDPR</strong>: Data export, deletion, rectification, portability, objection</li>
<li><strong>SOC2</strong>: 9 Trust Service Criteria verification</li>
<li><strong>ISO 27001</strong>: 14 Annex A control families</li>
<li><strong>Incident Response</strong>: Complete lifecycle management</li>
<li><strong>Data Protection</strong>: 4-level classification, encryption controls</li>
<li><strong>Access Control</strong>: RBAC matrix with role verification</li>
</ul>
<p><strong>API</strong>: 35 endpoints
<strong>CLI</strong>: 23 commands
<strong>Tests</strong>: 11</p>
<hr />
<h2 id="security-architecture-flow"><a class="header" href="#security-architecture-flow">Security Architecture Flow</a></h2>
<h3 id="end-to-end-request-flow"><a class="header" href="#end-to-end-request-flow">End-to-End Request Flow</a></h3>
<pre><code class="language-plaintext">1. User Request
   ↓
2. Rate Limiting (100 req/min per IP)
   ↓
3. JWT Authentication (RS256, 15 min tokens)
   ↓
4. MFA Verification (TOTP/WebAuthn for sensitive ops)
   ↓
5. Cedar Authorization (context-aware policies)
   ↓
6. Dynamic Secrets (AWS STS, SSH keys, 1h TTL)
   ↓
7. Operation Execution (encrypted configs, KMS)
   ↓
8. Audit Logging (structured JSON, GDPR-compliant)
   ↓
9. Response
</code></pre>
<h3 id="emergency-access-flow"><a class="header" href="#emergency-access-flow">Emergency Access Flow</a></h3>
<pre><code class="language-plaintext">1. Emergency Request (reason + justification)
   ↓
2. Multi-Party Approval (2+ approvers, different teams)
   ↓
3. Session Activation (special JWT, 4h max)
   ↓
4. Enhanced Audit (7-year retention, immutable)
   ↓
5. Auto-Revocation (expiration/inactivity)
</code></pre>
<hr />
<h2 id="technology-stack"><a class="header" href="#technology-stack">Technology Stack</a></h2>
<h3 id="backend-rust"><a class="header" href="#backend-rust">Backend (Rust)</a></h3>
<ul>
<li><strong>axum</strong>: HTTP framework</li>
<li><strong>jsonwebtoken</strong>: JWT handling (RS256)</li>
<li><strong>cedar-policy</strong>: Authorization engine</li>
<li><strong>totp-rs</strong>: TOTP implementation</li>
<li><strong>webauthn-rs</strong>: WebAuthn/FIDO2</li>
<li><strong>aws-sdk-kms</strong>: AWS KMS integration</li>
<li><strong>argon2</strong>: Password hashing</li>
<li><strong>tracing</strong>: Structured logging</li>
</ul>
<h3 id="frontend-typescriptreact"><a class="header" href="#frontend-typescriptreact">Frontend (TypeScript/React)</a></h3>
<ul>
<li><strong>React 18</strong>: UI framework</li>
<li><strong>Leptos</strong>: Rust WASM framework</li>
<li><strong>@simplewebauthn/browser</strong>: WebAuthn client</li>
<li><strong>qrcode.react</strong>: QR code generation</li>
</ul>
<h3 id="cli-nushell"><a class="header" href="#cli-nushell">CLI (Nushell)</a></h3>
<ul>
<li><strong>Nushell 0.107</strong>: Shell and scripting</li>
<li><strong>nu_plugin_kcl</strong>: KCL integration</li>
</ul>
<h3 id="infrastructure"><a class="header" href="#infrastructure">Infrastructure</a></h3>
<ul>
<li><strong>HashiCorp Vault</strong>: Secrets management, KMS, SSH CA</li>
<li><strong>AWS KMS</strong>: Key management service</li>
<li><strong>PostgreSQL/SurrealDB</strong>: Data storage</li>
<li><strong>SOPS</strong>: Config encryption</li>
</ul>
<hr />
<h2 id="security-guarantees"><a class="header" href="#security-guarantees">Security Guarantees</a></h2>
<h3 id="authentication"><a class="header" href="#authentication">Authentication</a></h3>
<p>✅ RS256 asymmetric signing (no shared secrets)
✅ Short-lived access tokens (15 min)
✅ Token revocation support
✅ Argon2id password hashing (memory-hard)
✅ MFA enforced for production operations</p>
<h3 id="authorization"><a class="header" href="#authorization">Authorization</a></h3>
<p>✅ Fine-grained permissions (Cedar policies)
✅ Context-aware (MFA, IP, time windows)
✅ Hot reload policies (no downtime)
✅ Deny by default</p>
<h3 id="secrets-management"><a class="header" href="#secrets-management">Secrets Management</a></h3>
<p>✅ No static credentials stored
✅ Time-limited secrets (1h default)
✅ Auto-revocation on expiry
✅ Encryption at rest (KMS)
✅ Memory-only decryption</p>
<h3 id="audit--compliance"><a class="header" href="#audit--compliance">Audit &amp; Compliance</a></h3>
<p>✅ Immutable audit logs
✅ GDPR-compliant (PII anonymization)
✅ SOC2 controls implemented
✅ ISO 27001 controls verified
✅ 7-year retention for break-glass</p>
<h3 id="emergency-access"><a class="header" href="#emergency-access">Emergency Access</a></h3>
<p>✅ Multi-party approval required
✅ Time-limited sessions (4h max)
✅ Enhanced audit logging
✅ Auto-revocation
✅ Cannot be disabled</p>
<hr />
<h2 id="performance-characteristics"><a class="header" href="#performance-characteristics">Performance Characteristics</a></h2>
<div class="table-wrapper"><table><thead><tr><th>Component</th><th>Latency</th><th>Throughput</th><th>Memory</th></tr></thead><tbody>
<tr><td>JWT Auth</td><td>&lt;5 ms</td><td>10,000/s</td><td>~10 MB</td></tr>
<tr><td>Cedar Authz</td><td>&lt;10 ms</td><td>5,000/s</td><td>~50 MB</td></tr>
<tr><td>Audit Log</td><td>&lt;5 ms</td><td>20,000/s</td><td>~100 MB</td></tr>
<tr><td>KMS Encrypt</td><td>&lt;50 ms</td><td>1,000/s</td><td>~20 MB</td></tr>
<tr><td>Dynamic Secrets</td><td>&lt;100 ms</td><td>500/s</td><td>~50 MB</td></tr>
<tr><td>MFA Verify</td><td>&lt;50 ms</td><td>2,000/s</td><td>~30 MB</td></tr>
</tbody></table>
</div>
<p><strong>Total Overhead</strong>: ~10-20 ms per request
<strong>Memory Usage</strong>: ~260 MB total for all security components</p>
<hr />
<h2 id="deployment-options"><a class="header" href="#deployment-options">Deployment Options</a></h2>
<h3 id="development"><a class="header" href="#development">Development</a></h3>
<pre><code class="language-bash"># Start all services
cd provisioning/platform/kms-service &amp;&amp; cargo run &amp;
cd provisioning/platform/orchestrator &amp;&amp; cargo run &amp;
cd provisioning/platform/control-center &amp;&amp; cargo run &amp;
</code></pre>
<h3 id="production"><a class="header" href="#production">Production</a></h3>
<pre><code class="language-bash"># Kubernetes deployment
kubectl apply -f k8s/security-stack.yaml

# Docker Compose
docker-compose up -d kms orchestrator control-center

# Systemd services
systemctl start provisioning-kms
systemctl start provisioning-orchestrator
systemctl start provisioning-control-center
</code></pre>
<hr />
<h2 id="configuration"><a class="header" href="#configuration">Configuration</a></h2>
<h3 id="environment-variables"><a class="header" href="#environment-variables">Environment Variables</a></h3>
<pre><code class="language-bash"># JWT
export JWT_ISSUER="control-center"
export JWT_AUDIENCE="orchestrator,cli"
export JWT_PRIVATE_KEY_PATH="/keys/private.pem"
export JWT_PUBLIC_KEY_PATH="/keys/public.pem"

# Cedar
export CEDAR_POLICIES_PATH="/config/cedar-policies"
export CEDAR_ENABLE_HOT_RELOAD=true

# KMS
export KMS_BACKEND="vault"
export VAULT_ADDR="https://vault.example.com"
export VAULT_TOKEN="..."

# MFA
export MFA_TOTP_ISSUER="Provisioning"
export MFA_WEBAUTHN_RP_ID="provisioning.example.com"
</code></pre>
<h3 id="config-files"><a class="header" href="#config-files">Config Files</a></h3>
<pre><code class="language-toml"># provisioning/config/security.toml
[jwt]
issuer = "control-center"
audience = ["orchestrator", "cli"]
access_token_ttl = "15m"
refresh_token_ttl = "7d"

[cedar]
policies_path = "config/cedar-policies"
hot_reload = true
reload_interval = "60s"

[mfa]
totp_issuer = "Provisioning"
webauthn_rp_id = "provisioning.example.com"
rate_limit = 5
rate_limit_window = "5m"

[kms]
backend = "vault"
vault_address = "https://vault.example.com"
vault_mount_point = "transit"

[audit]
retention_days = 365
retention_break_glass_days = 2555  # 7 years
export_format = "json"
pii_anonymization = true
</code></pre>
<hr />
<h2 id="testing"><a class="header" href="#testing">Testing</a></h2>
<h3 id="run-all-tests"><a class="header" href="#run-all-tests">Run All Tests</a></h3>
<pre><code class="language-bash"># Control Center (JWT, MFA)
cd provisioning/platform/control-center
cargo test

# Orchestrator (Cedar, Audit, Secrets, SSH, Break-Glass, Compliance)
cd provisioning/platform/orchestrator
cargo test

# KMS Service
cd provisioning/platform/kms-service
cargo test

# Config Encryption (Nushell)
nu provisioning/core/nulib/lib_provisioning/config/encryption_tests.nu
</code></pre>
<h3 id="integration-tests"><a class="header" href="#integration-tests">Integration Tests</a></h3>
<pre><code class="language-bash"># Full security flow
cd provisioning/platform/orchestrator
cargo test --test security_integration_tests
cargo test --test break_glass_integration_tests
</code></pre>
<hr />
<h2 id="monitoring--alerts"><a class="header" href="#monitoring--alerts">Monitoring &amp; Alerts</a></h2>
<h3 id="metrics-to-monitor"><a class="header" href="#metrics-to-monitor">Metrics to Monitor</a></h3>
<ul>
<li>Authentication failures (rate, sources)</li>
<li>Authorization denials (policies, resources)</li>
<li>MFA failures (attempts, users)</li>
<li>Token revocations (rate, reasons)</li>
<li>Break-glass activations (frequency, duration)</li>
<li>Secrets generation (rate, types)</li>
<li>Audit log volume (events/sec)</li>
</ul>
<h3 id="alerts-to-configure"><a class="header" href="#alerts-to-configure">Alerts to Configure</a></h3>
<ul>
<li>Multiple failed auth attempts (5+ in 5 min)</li>
<li>Break-glass session created</li>
<li>Compliance report non-compliant</li>
<li>Incident severity critical/high</li>
<li>Token revocation spike</li>
<li>KMS errors</li>
<li>Audit log export failures</li>
</ul>
<hr />
<h2 id="maintenance"><a class="header" href="#maintenance">Maintenance</a></h2>
<h3 id="daily"><a class="header" href="#daily">Daily</a></h3>
<ul>
<li>Monitor audit logs for anomalies</li>
<li>Review failed authentication attempts</li>
<li>Check break-glass sessions (should be zero)</li>
</ul>
<h3 id="weekly"><a class="header" href="#weekly">Weekly</a></h3>
<ul>
<li>Review compliance reports</li>
<li>Check incident response status</li>
<li>Verify backup code usage</li>
<li>Review MFA device additions/removals</li>
</ul>
<h3 id="monthly"><a class="header" href="#monthly">Monthly</a></h3>
<ul>
<li>Rotate KMS keys</li>
<li>Review and update Cedar policies</li>
<li>Generate compliance reports (GDPR, SOC2, ISO)</li>
<li>Audit access control matrix</li>
</ul>
<h3 id="quarterly"><a class="header" href="#quarterly">Quarterly</a></h3>
<ul>
<li>Full security audit</li>
<li>Penetration testing</li>
<li>Compliance certification review</li>
<li>Update security documentation</li>
</ul>
<hr />
<h2 id="migration-path"><a class="header" href="#migration-path">Migration Path</a></h2>
<h3 id="from-existing-system"><a class="header" href="#from-existing-system">From Existing System</a></h3>
<ol>
<li>
<p><strong>Phase 1</strong>: Deploy security infrastructure</p>
<ul>
<li>KMS service</li>
<li>Orchestrator with auth middleware</li>
<li>Control Center</li>
</ul>
</li>
<li>
<p><strong>Phase 2</strong>: Migrate authentication</p>
<ul>
<li>Enable JWT authentication</li>
<li>Migrate existing users</li>
<li>Disable old auth system</li>
</ul>
</li>
<li>
<p><strong>Phase 3</strong>: Enable MFA</p>
<ul>
<li>Require MFA enrollment for admins</li>
<li>Gradual rollout to all users</li>
</ul>
</li>
<li>
<p><strong>Phase 4</strong>: Enable Cedar authorization</p>
<ul>
<li>Deploy initial policies (permissive)</li>
<li>Monitor authorization decisions</li>
<li>Tighten policies incrementally</li>
</ul>
</li>
<li>
<p><strong>Phase 5</strong>: Enable advanced features</p>
<ul>
<li>Break-glass procedures</li>
<li>Compliance reporting</li>
<li>Incident response</li>
</ul>
</li>
</ol>
<hr />
<h2 id="future-enhancements"><a class="header" href="#future-enhancements">Future Enhancements</a></h2>
<h3 id="planned-not-implemented"><a class="header" href="#planned-not-implemented">Planned (Not Implemented)</a></h3>
<ul>
<li><strong>Hardware Security Module (HSM)</strong> integration</li>
<li><strong>OAuth2/OIDC</strong> federation</li>
<li><strong>SAML SSO</strong> for enterprise</li>
<li><strong>Risk-based authentication</strong> (IP reputation, device fingerprinting)</li>
<li><strong>Behavioral analytics</strong> (anomaly detection)</li>
<li><strong>Zero-Trust Network</strong> (service mesh integration)</li>
</ul>
<h3 id="under-consideration"><a class="header" href="#under-consideration">Under Consideration</a></h3>
<ul>
<li><strong>Blockchain audit log</strong> (immutable append-only log)</li>
<li><strong>Quantum-resistant cryptography</strong> (post-quantum algorithms)</li>
<li><strong>Confidential computing</strong> (SGX/SEV enclaves)</li>
<li><strong>Distributed break-glass</strong> (multi-region approval)</li>
</ul>
<hr />
<h2 id="consequences"><a class="header" href="#consequences">Consequences</a></h2>
<h3 id="positive"><a class="header" href="#positive">Positive</a></h3>
<p>✅ <strong>Enterprise-grade security</strong> meeting GDPR, SOC2, ISO 27001
✅ <strong>Zero static credentials</strong> (all dynamic, time-limited)
✅ <strong>Complete audit trail</strong> (immutable, GDPR-compliant)
✅ <strong>MFA-enforced</strong> for sensitive operations
✅ <strong>Emergency access</strong> with enhanced controls
✅ <strong>Fine-grained authorization</strong> (Cedar policies)
✅ <strong>Automated compliance</strong> (reports, incident response)</p>
<h3 id="negative"><a class="header" href="#negative">Negative</a></h3>
<p>⚠️ <strong>Increased complexity</strong> (12 components to manage)
⚠️ <strong>Performance overhead</strong> (~10-20 ms per request)
⚠️ <strong>Memory footprint</strong> (~260 MB additional)
⚠️ <strong>Learning curve</strong> (Cedar policy language, MFA setup)
⚠️ <strong>Operational overhead</strong> (key rotation, policy updates)</p>
<h3 id="mitigations"><a class="header" href="#mitigations">Mitigations</a></h3>
<ul>
<li>Comprehensive documentation (ADRs, guides, API docs)</li>
<li>CLI commands for all operations</li>
<li>Automated monitoring and alerting</li>
<li>Gradual rollout with feature flags</li>
<li>Training materials for operators</li>
</ul>
<hr />
<h2 id="related-documentation"><a class="header" href="#related-documentation">Related Documentation</a></h2>
<ul>
<li><strong>JWT Auth</strong>: <code>docs/architecture/JWT_AUTH_IMPLEMENTATION.md</code></li>
<li><strong>Cedar Authz</strong>: <code>docs/architecture/CEDAR_AUTHORIZATION_IMPLEMENTATION.md</code></li>
<li><strong>Audit Logging</strong>: <code>docs/architecture/AUDIT_LOGGING_IMPLEMENTATION.md</code></li>
<li><strong>MFA</strong>: <code>docs/architecture/MFA_IMPLEMENTATION_SUMMARY.md</code></li>
<li><strong>Break-Glass</strong>: <code>docs/architecture/BREAK_GLASS_IMPLEMENTATION_SUMMARY.md</code></li>
<li><strong>Compliance</strong>: <code>docs/architecture/COMPLIANCE_IMPLEMENTATION_SUMMARY.md</code></li>
<li><strong>Config Encryption</strong>: <code>docs/user/CONFIG_ENCRYPTION_GUIDE.md</code></li>
<li><strong>Dynamic Secrets</strong>: <code>docs/user/DYNAMIC_SECRETS_QUICK_REFERENCE.md</code></li>
<li><strong>SSH Keys</strong>: <code>docs/user/SSH_TEMPORAL_KEYS_USER_GUIDE.md</code></li>
</ul>
<hr />
<h2 id="approval"><a class="header" href="#approval">Approval</a></h2>
<p><strong>Architecture Team</strong>: Approved
<strong>Security Team</strong>: Approved (pending penetration test)
<strong>Compliance Team</strong>: Approved (pending audit)
<strong>Engineering Team</strong>: Approved</p>
<hr />
<p><strong>Date</strong>: 2025-10-08
<strong>Version</strong>: 1.0.0
<strong>Status</strong>: Implemented and Production-Ready</p>

                    </main>

                    <nav class="nav-wrapper" aria-label="Page navigation">
                        <!-- Mobile navigation buttons -->
                            <a rel="prev" href="../../architecture/adr/adr-008-cedar-authorization.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                                <i class="fa fa-angle-left"></i>
                            </a>

                            <a rel="next prefetch" href="../../architecture/adr/adr-010-configuration-format-strategy.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                                <i class="fa fa-angle-right"></i>
                            </a>

                        <div style="clear: both"></div>
                    </nav>
                </div>
            </div>

            <nav class="nav-wide-wrapper" aria-label="Page navigation">
                    <a rel="prev" href="../../architecture/adr/adr-008-cedar-authorization.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
                        <i class="fa fa-angle-left"></i>
                    </a>

                    <a rel="next prefetch" href="../../architecture/adr/adr-010-configuration-format-strategy.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
                        <i class="fa fa-angle-right"></i>
                    </a>
            </nav>

        </div>




        <script>
            window.playground_copyable = true;
        </script>


        <script src="../../elasticlunr.min.js"></script>
        <script src="../../mark.min.js"></script>
        <script src="../../searcher.js"></script>

        <script src="../../clipboard.min.js"></script>
        <script src="../../highlight.js"></script>
        <script src="../../book.js"></script>

        <!-- Custom JS scripts -->


    </div>
    </body>
</html>