Security posture deep dive
if.security
`if.security` is a cross-cut contract spanning all module lanes: routing, integration, transport, coordination, memory, governance, and integrity receipts.
Status (black/white): roadmap posture for full runtime security orchestration.
Preview components exist (notably if.security.secrets.detect) and are explicitly bounded.
- Defines posture and contracts for how modules report and react to security-relevant findings.
- Reuses existing module primitives (`if.bus`, `if.blackboard`, `if.gov`, `if.trace`) instead of inventing parallel stacks.
- Does not claim universal prevention, compliance certification, or semantic correctness guarantees.
Cross-Cut Coverage
Security posture applies to each module lane with explicit boundaries.
| Module | Security lens | Boundary |
|---|---|---|
| if.switchboard | routing abuse detection + security_signal emission | routing precision/reliability controls stay separate from security policy authorship |
| if.api | adapter boundary checks + schema violation signaling | adapter contract checks do not imply third-party API correctness |
| if.bus | security_signal envelope + containment command carriage | event transport is not itself an automated policy engine |
| if.blackboard | append-only incident chronology and remediation lineage | coordination memory is evidence continuity, not incident truth certification |
| if.context | bounded evidence context for triage and council review | context scope controls do not certify semantic correctness |
| if.gov | human checkpoint and stop-condition escalation | governance packs remain review artifacts, not compliance guarantees |
| if.trace | integrity receipts for security-relevant artifacts | receipt integrity does not assert legal/semantic truth |
| if.security.secrets.detect | preview detector producing redacted findings and security signals | preview detector does not claim CI-wide always-on enforcement |
Evidence And Containment Contracts
Evidence tiers and containment states define what automation can and cannot do.
Evidence kinds
| Kind | Meaning | Automation |
|---|---|---|
| observed | direct detector observation on bytes or envelopes | eligible for WATCH/CONTAIN automation policies |
| derived | computed from observed artifacts (for example risk aggregation) | eligible for bounded automation with policy constraints |
| hypothesis | inference requiring additional evidence or human interpretation | not eligible for side-effect automation |
Containment states
| State | Action | Contract mapping |
|---|---|---|
| WATCH | record and correlate security_signal only | no side-effect actuation |
| CONTAIN | isolate scope via quarantine or hold | if.bus control command sequence with evidence capture |
| HALT | drain + quarantine + explicit human resume | if.gov escalation with blackboard continuity |
Detect Integration
`if.security.secrets.detect` is one concrete module under the cross-cut posture.
| Relationship | Type | Meaning | Source |
|---|---|---|---|
| if.security -> all module lanes | cross-cut posture | shared contract for signal semantics, evidence kinds, and containment mapping | docs/89-if-security-posture.md |
| if.security.secrets.detect -> if.bus | signal emission | detector findings emit public-safe security_signal envelopes | if.security posture + detect page |
| if.security.secrets.detect -> if.blackboard | coordination lineage | findings and remediation checkpoints are tracked as append-only task/signal history | if.security posture |
| if.security.secrets.detect -> if.gov | governance escalation | high-impact or ambiguous findings route to triage/council decisions | if.security posture |
| if.security + detect -> if.trace | receipt lineage | security artifacts can be integrity-anchored for external verification | if.registry.json |
Security posture remains platform-agnostic by design: the contract is bound to schemas, decision checkpoints, and receipts rather than a single model vendor, cloud provider, or transport substrate.