Core concepts

Zero-trust model

Zero-trust here is not a slogan — it is a set of concrete boundaries that hold even when parts of the system are compromised.

Mutual TLS everywhere

Every connection between a device and the platform is mutually authenticated. The device proves who it is with a per-device X.509 certificate; the platform proves who it is with its own. A device's identity is taken from its verified certificate, never from anything it claims in a request — so a device can only ever act as itself.

No unsigned path

There is exactly one way for an artifact to reach a workload: signed, and verified on the device against a pinned trust anchor. This path is the same in development and in production — development simply uses development keys. There is no "insecure" flag, no debug bypass, no temporary shortcut. If it is not verified, it is not applied.

This is the property that contains a supply-chain compromise. An attacker who takes over the build pipeline, the registry, or the delivery service still cannot make a device run their code, because the authority to sign updates lives in keys the delivery infrastructure never holds.

Keys that never move

The most powerful signing keys are kept offline. The delivery service holds only the limited, online keys it needs to publish day to day; the keys that anchor the whole chain of trust live on an air-gapped machine and are used only in a deliberate ceremony. A compromise of the online service is recoverable and bounded — it cannot rewrite the root of trust.

The same principle applies on the device: its private key is generated on the device and never leaves it. The platform signs a certificate for the device's public key; it never sees the private half.

Per-fleet trust domains

Each fleet's signing scope is isolated. A compromise of one party's keys or artifacts must not be able to reach another fleet. Isolation runs through identity, artifact namespacing and data access — the blast radius of a compromise stops at its own boundary.

Metadata only

The platform deals in metadata, never payload contents. It records that a device updated, to which version, and whether the health check passed — it does not inspect, copy or export what your application processes. This is a hard line, and it is what makes the platform usable for defense and other sensitive deployments.