Document Classification: Internal — CHLOM Confidential Phase: 0 → 1 Owner: CrownThrive, LLC Last Updated: 2025-08-08
A — Purpose & Scope
Terminate mTLS; authenticate/authorize tenants; enforce rate limits and policy; route to CE and ZKV; emit structured telemetry; protect from abuse (WAF/DDoS).
B — Architecture
- Ingress: Anycast + CDN/WAF → Envoy/Kong.
- AuthN: OAuth2 client-credentials; token introspection; JTI replay checks.
- AuthZ: Scopes:
- Policy: OPA/Cedar sidecar; deny-by-default; policy bundles are signed.
C — Endpoints (selected)
- POST /v1/score/compliance
- POST /v1/zk/verify
- POST /v1/anomaly/stream
- POST /v1/kyc/resolve
D — Security & Hardening
- mTLS required for all clients; cert mapping to tenant IDs.
- Headers: require
- Rate Limits: token + IP; burst 50, sustained 10 rps default (tenant tiered).
- Replay: Reject reused
- Content Security: JSON only; size caps (1 MB default); schema validation at edge.
- Error Taxonomy: 4xx client, 5xx server; never leak internals.
E — Observability
- Metrics: request rate, P50/P95/P99 latency per route, error rate, token failures.
- Logs: JSON, redacted; include tenant_id, operation_id, route, status.
- Tracing: Propagate W3C trace context to CE/ZKV; sample 1–5% (adaptive).
F — Policies (snippets)
- Cedar/OPA Example:
permit(
principal, action, resource
) when {
action in ["caas:Score", "zk:Verify"] &&
resource.route.matches(principal.allowed_routes) &&
input.scopes.includes(action.scope)
}
G — Runbooks
- /runbooks/gateway-surge.md
- /runbooks/oauth-introspection-outage.md