docs consolidation

2025-12-24 12:38:14 +02:00
parent 7503c19b8f
commit 9a08d10b89
215 changed files with 2188 additions and 9623 deletions
--- a/docs/technical/architecture/security-boundaries.md
+++ b/docs/technical/architecture/security-boundaries.md
@@ -10,6 +10,18 @@ All externally reachable services are expected to enforce:
 3. Scope-based authorization (least privilege).
 4. Tenant isolation: requests and data access are filtered by tenant context.

+### Hard gates (typical examples)
+
+Exact gates are module-specific, but common patterns include:
+- **Authority**: nonce-based sender constraints (DPoP), strict token lifetimes, tenant-scoped issuance, and rate limiting.
+- **Signing/attestation services**: narrow scopes, service identity requirements (often mTLS), and verification of the artifact being signed/attested (for example digest checks) before producing evidence.
+
+Authoritative references:
+- `docs/security/scopes-and-roles.md`
+- `docs/modules/authority/architecture.md`
+- `docs/modules/signer/architecture.md`
+- `docs/modules/attestor/architecture.md`
+
 ## Network segmentation (typical deployment)

 - **Front door / ingress**: TLS termination, rate limiting, and WAF controls.