Control philosophy
Security is distributed by component, not aggregated in one check. The platform combines transport, authorization, and operational controls so no single misconfiguration creates blind trust.
Boundary matrix
| Layer | Responsibility | Primary control |
|---|---|---|
| Network ingress | Traffic validation | TLS, client identity checks, rate limiting |
| Policy engine | Permission enforcement | Attribute allow-lists and entitlement checks |
| Connector runtime | Provision execution | Role-scoped service identity and audit trails |
Threat assumptions
- Malicious payloads, replay attempts, and stale state drift.
- Credential leak via mis-scoped secret stores.
- Boundary confusion between source of truth and projected state.
Boundary map
[Directory Connector] -> TLS Gateway -> Policy Engine -> Provisioner -> Audit IndexControl gap checks
For every trust boundary, include at least one negative test case: malformed token, expired secret, stale policy version, and unauthenticated ingress. Missing checks here should block production cutover.