Security

STACK is designed with defense-in-depth. Every layer enforces security independently.

Encryption

• All credentials are encrypted at rest using AWS KMS envelope encryption
• Identity PII (Layer 2) is encrypted separately — never stored in plaintext
• Drop-off payloads are KMS-encrypted in transit and at rest
• Sealed skill scripts and system prompts are stored encrypted

Authentication

• API keys are hashed (SHA-256) before storage — plaintext never persisted
• Passport JWTs are signed with EdDSA (Ed25519) — tamper-proof
• Session JWTs use EdDSA with 24-hour TTL
• OAuth state tokens are signed with nonce and 10-minute TTL

Revocation

• Passport revocation propagates within 60 seconds via Redis cache
• Service disconnection cascades: revokes affected agent passports
• Identity claim revocation cascades: revokes all operator passports
• Team member revocation immediately invalidates their API key

Audit

• Append-only audit log with hash chaining — INSERT only, no UPDATE/DELETE
• Every credential retrieval, passport issuance, and service action is logged
• Security signals detect anomalies: out-of-scope access, burst patterns, post-checkout access
• Full accountability reports for every passport mission

Sealed Execution

• Skills run in sandboxed JavaScript runtime (Node.js vm module)
• 30-second timeout enforcement
• Limited sandbox globals — no filesystem, network, or process access
• Buyer input and seller logic are never exposed to each other
• Credential proxy provides metered, scoped access — no raw credentials in sandbox

GDPR Compliance

• Layer 2 identity requirements must declare requires_pii and lawful_basis
• PII is encrypted at rest with separate KMS key
• Identity claims carry claim_ref only — PII never in JWT
• Claims can be revoked (right to erasure)