Architecture
Zero-Trust model where no long-lived SSH keys exist on user devices.
Components
| Component | Role |
|---|---|
| Flask Server | Primary frontend; manages user sessions and coordinates evaluation. |
| Gate0 (Rust) | Extreme performance logic engine. Mechanically verified for termination and determinism. |
| GateBridge (Shadow Plane) | Bridges Python and Rust. Performs parallel validation of policy decisions. |
| OpenSSH CA | Signs user public keys. Certificates expire in minutes. |
| Trust Budget Ledger | Stateful SQLite accounting for cumulative issuance limits. |
| Audit Ledger | Hash-chained log of all events. Tamper-evident by design. |
Security Properties
CA Key : Encrypted at rest, never leaves the container. Stored with 0400 permissions.
Audit : Tamper-evident ledger with optional remote syslog mirroring.
Ephemeral : Certificates expire in minutes by default (configurable via policy).
Trust Zones
The CA private key is the root of trust. It is generated at startup if missing and stored
in a Docker volume (/app/ca_store). The volume is never exposed to unprivileged
containers.
Certificate issuance requires successful WebAuthn or TOTP verification. The audit ledger records every issuance with a cryptographic chain to detect tampering.
System Design
Architecture Philosophy
Ephemera employs a Stateless Core / Stateful Wrapper design to maintain security invariants.
Gate0 is a purely stateless, logical engine. This allows it to be audited and fuzzed with mathematical rigor (including our 1,000,000 iteration soak test). It receives policy rules and user context, and returns a boolean decision with metadata.
Trust Budgeting is a stateful operation handled by the Python wrapper. Because budgeting requires atomic ledger increments and persistent state, it sits outside the logic engine. This ensures that a bug in the evaluation logic cannot inadvertently wipe the trust ledger, and vice versa.