Security Practices
How WitnessOps protects its own operations, handles vulnerabilities, and manages trust.
This page defines the current security posture for WitnessOps operations: what controls are active, what evidence they emit, and where limits remain explicit.
1. Problem this page solves
Security claims become misleading when current controls, target-state goals, and trust assumptions are mixed together.
This page separates those layers so readers can judge present posture without overclaiming maturity.
2. What you should understand after reading
After this page, you should understand:
- which controls are currently enforced
- what evidence those controls emit
- which threat/failure classes remain outside protection
- where current state differs from target state
3. Mechanism-first security posture
Active controls
| Control | Current behavior | Evidence surface |
|---|---|---|
| Governed execution boundary | Tool runs only through authorized runbook path | runbook state + gate records |
| Artifact integrity | Outputs hashed at generation and bound to manifests | artifact hashes + manifest checks |
| Tier 1 receipt linkage | M0 -> E0 -> P1 -> E2 -> R0 -> V0 binding is explicit and replayable | receipt chain + local recomputation |
| Append-only execution state | step history appends over time | state continuity inspection |
Current vs target capabilities
| Capability | Current | Target |
|---|---|---|
| Signing algorithm | Ed25519 | Ed25519 |
| Key storage | local filesystem | HSM/secure enclave |
| Key rotation | manual | automated policy-driven |
| Key revocation | not supported | revocation list + timestamp |
| Approval model | self-approval only when explicit workflow policy permits scoped low-risk actions | multi-party separation of duties |
| Tool integrity checking | not verified | wrapper hash verification pre-run |
| Audit log posture | local state files | independent append-only witness log |
4. Observed vs inferred
| Layer | What is observed | What is inferred |
|---|---|---|
| Observed | documented controls, explicit gaps, emitted evidence artifacts | none beyond stated controls |
| Inferred | risk reduction under current posture | depends on deployment discipline and external policy context |
5. Trust assumptions and limits
Current posture does not independently eliminate these risks:
- compromised operator workstation or host
- malicious or tampered tool wrappers
- network-level data tampering before capture
- collusion or weak separation of duties
- key compromise/loss without revocation support
These are explicit boundary conditions, not hidden exceptions. These controls improve integrity and reviewability, but they do not make compromise, collusion, or tool deception impossible.
6. Disclosure path
Report vulnerabilities to security@witnessops.com (canonical mailbox).
security+witnessops@witnessops.com may be used as an optional alias when enabled, but does not replace canonical disclosure identity.
7. Next-page handoff
Next, read Governance to map this security posture into approval, authorization, and audit boundaries.