authorityrail.com / trust / security
// Trust Center

Security Architecture

The verified security posture of AuthorityRail's execution authority infrastructure. Designed to align with SOC 2, ISO 27001, and NIST AI RMF principles; specific attestations are listed on the compliance posture page with truthful status indicators.

Last revised: 2026-05-17 · Version v1.0

Doctrine

Fail-closed. When AuthorityRail's gate cannot evaluate an authorization request — for any reason — it returns DENY, never ALLOW. Probability ≠ Permission. The gate's value claim is provable execution authority; falling back to "best effort" would violate that claim.

Zero-bypass architecture. No customer integration path issues an ALLOW decision without producing a Certified Action Record. There is no debug endpoint, no admin override, no superuser bypass.

Cryptographic execution evidence

Ed25519 signing
Every Certified Action Record (CAR) is signed with an Ed25519 key whose public counterpart is published at gate.authorityrail.com/v1/keys.
Independent verification
Customers and auditors verify CARs locally with a standard Ed25519 implementation — without trusting AuthorityRail's runtime.
Chain version
CAR envelope is versioned (chain_version); v1.1 seals engine-health attestation into the signed digest per Hardening Pass 1 closure.
Key custody
Primary signing key kept in Supabase Vault, rotated on the schedule defined in docs/runbooks/06-car-signing-key-incident.md; emergency rotation drilled via the same runbook.

Multi-tenant isolation

AuthorityRail is multi-tenant by design. Customer data and operational state are isolated at the database layer:

Transport and network

Email authentication (operational sender posture)

Detection and response

The operational doctrine is Detection → Classification → Communication → Recovery, governed by:

Disclosure

Security vulnerabilities should be reported per the CVD policy. AuthorityRail commits to a 90-day disclosure window from acknowledgement to public advisory (or sooner where appropriate) under the AuthorityRail Standards Foundation CVD doctrine.

Related documents