Zero-trust security for org reality. Every access authenticated, authorized, and audited.
Substrate assumes sophisticated adversaries and defends against both external attacks and insider threats.
Every extracted fact is labeled with provenance and trust tier. "Verified facts" require signatures or human review. Untrusted content is sandboxed.
No "fetch then filter" pattern. Authorization predicates are pushed to the storage layer. Denied data is never loaded.
Agents never get raw broad access. They operate via caveated capability tokens with explicit scope limits.
OIDC with phishing-resistant keys (WebAuthn). Device posture checks. Short-lived sessions.
SPIFFE IDs with mTLS (SVIDs). Short-lived credentials rotated automatically. No long-lived secrets.
Authenticate as principals, then receive caveated capability tokens. Tokens are attenuable (macaroon-style).
All authentication events are ingested as audit artifacts. Failed attempts logged with full context.
Substrate uses relationship-based access control (Zanzibar-style). Permissions are defined by relationships in the graph itself.
user, group, service, repo, artifact,
incident, contract, document, ...owner, member, viewer, oncall,
legal_hold_admin, approver, ...can(subject, action, resource)
Evaluated by tuple graph + caveats:
- time constraints
- tenant boundaries
- realm compartmentsWhy ReBAC wins here: Org reality is literally relationships. The authz model matches the data model. "Alice can view service X because she's on-call for team Y which owns X."
Every artifact chunk encrypted with AES-256-GCM using a unique DEK. DEKs are never stored in plaintext.
DEKs are wrapped by tenant KEKs stored in HSM/KMS. Per-realm KEKs for high-sensitivity compartments.
KEKs rotate on schedule. DEKs are re-wrapped asynchronously. Old ciphertext remains readable with old wrapped DEKs.
Cross-workspace sharing never shares raw keys. Instead: policy grant + DEK re-wrapped to recipient's realm KEK.
Every commit includes prev_hash. The chain is
unbroken and verifiable from any point.
Commits are leaves in a merkle tree. Inclusion proofs verify membership. Consistency proofs verify append-only growth.
Periodic root signatures (HSM-backed) create trust anchors. Witnesses can independently verify.
Independent systems sign merkle roots. Detects equivocation if the primary attempts to present different histories.
Attach to artifact types and graph subtrees. Define expiration schedules. Trigger tombstone events on expiry.
Freezes key shredding for scoped objects. Any shred attempt emits immutable audit event. Hold takes precedence.
Data becomes a stub. Metadata and hashes remain. Unprivileged readers see "redacted" marker.
DEK is destroyed. Ciphertext remains but is unrecoverable. Commit hash proves "something existed" without revealing content.
Explicit tradeoff: After key-shred, you can prove existence and position in history, but cannot recover plaintext. Legal holds prevent premature shredding.
Raft groups Separate consensus groups per tenant
Encryption domains Independent KEK hierarchies
Authz namespaces Isolated policy graphs
Audit logs Separate audit streams
Optional: dedicated hardware per tenant for highest isolation requirements.