ADR 0004: Security Identity, Keying, And Audit Integrity
Status
Accepted
Date
2026-06-08
Context
The SDK needs reusable production security substrates rather than bespoke per-CNF wiring. Identity, mTLS transport, key retrieval, audit redaction, and tamper evidence must be consistent across config, session, persistence, alarm, and operator-facing paths.
Decision
Production security uses explicit shared adapters:
opc-identitywatches SPIFFE SVIDs and trust bundles.opc-tlsbuilds reloadable mTLS client/server configurations from identity material.opc-keyprovides durableKmsKeyProvideradapters over authenticated KMS transports or local Unix-socket agents.- Memory key providers remain deterministic test/conformance adapters.
- Persistence audit records redact sensitive values before storage and before hash-chain/HMAC material is calculated.
- Alarm administration uses NACM-backed authorization and durable audit sinks.
Consequences
Production deployments must supply real identity and KMS infrastructure. Unauthenticated TCP KMS and in-memory keys are not production key sources.
Security failures should fail closed and surface sanitized errors rather than leaking paths, SQL details, PEM material, keys, subscriber identifiers, or network addresses.
Evidence
crates/opc-identity/crates/opc-tls/crates/opc-key/crates/opc-persist/src/backend.rscrates/opc-alarm/src/nacm_adapter.rscrates/opc-alarm/src/persist_adapter.rs