Skip to main content

Security

Documentation Map

Security

Tool / Contract Summary

This page documents the real security and boundary model for jhf-tenter.

It covers:

  • where secrets are allowed to exist
  • which auth surfaces are external
  • which commands are allowed to mutate runtime state

Business Value

  • Prevents docs from implying that repo-owned runtime artifacts also mean repo-owned identity or secret management.
  • Keeps deployment, Heddle, OpenClaw, and Fabric boundaries explicit.
  • Gives operators a fail-closed view of what this repo may and may not do.

Current Verified State

  • No credentials are stored in the repo.
  • GUI authentication is external to this repo.
  • ARI credentials remain externalized in deployment/runtime env handling.
  • Fabric-owned governance and combination truth are consumed read-only.

Available now

  • Non-secret runtime env contracts for ARI and GUI.
  • Explicit separation between stack truth and secret ownership.
  • Verifiers that fail closed instead of guessing Fabric or runtime truth.

Optional / Extended

  • GUI OIDC and session handling when the external Heddle path is present.
  • Optional carrier enablement through Fabric-owned optional-slice truth.

Planned / Not in current scope

  • No repo-owned credential broker.
  • No repo-owned OAuth or OIDC provider.
  • No secret rotation automation from this repo.

Public Surfaces

  • Documentation:
    • docs/SECURITY.md
    • docs/VOICE_SECURITY.md
    • docs/ASTERISK_GUI_SSO_HANDOFF.md
  • Runtime env examples:
    • runtime/asterisk-ari-live/ari.env.example
    • runtime/asterisk-gui-live/gui.env.example

Contract Families

  • Asterisk runtime stack source
  • GUI SSO handoff
  • optional carrier boundary
  • Fabric governance adoption

Producer-/Consumer-Zuordnung

  • jhf-tenter owns:
    • non-secret contract documentation
    • fail-closed verification logic
  • jhf-deployment owns:
    • secret injection and rollout env handling
  • jhf-heddle owns:
    • GUI login, callback, logout, IdP claims
  • helpifyr-fabric owns:
    • shared governance and optional-slice truth

Compatibility Window

  • Security posture must remain compatible with:
    • externalized ARI credentials
    • external OIDC ownership
    • read-only Fabric truth consumption

Lifecycle Status

  • Security posture:
    • active
  • Identity posture:
    • externalized
  • Secret posture:
    • externalized

Readiness / Drift / Monitoring

Security drift occurs when:

  • credentials move into the repo
  • docs imply local auth truth that belongs to Heddle
  • local docs redefine Fabric-owned readiness or access semantics
  • deployment starts treating repo-local env examples as real secret storage

Deployment / Verify

Security-sensitive verify path:

python3 scripts/ci/verify_repo.py
bash scripts/fabric-selfcheck.sh
python3 scripts/ci/verify_asterisk_gui_sso_handoff.py
python3 scripts/ci/verify_asterisk_stack_source_of_truth.py

Known Limits

  • This repo cannot prove external secret quality or rotation.
  • GUI auth and OIDC correctness remain external-owner concerns even though the stack definition is local.
  • Host mutation stays operator- or deployment-gated.

Exceptions / Waivers

  • None. Secrets must stay out of Git.
  • jhf-tenter#77
  • jhf-tenter#87
  • jhf-tenter#88
  • jhf-deployment#170