Security Invariants

Security Review Checklist (Enterprise)#

Pre-Production Verification#

Before production deployment, verify the following controls are enabled and validated:

• Capability registry integrity verified

• Policy enforcement enabled (default deny)

• Remote boundary signing enabled

• Nonce / timestamp replay protection enabled

• Lease / fencing enforced (for distributed execution)

• Schema validation enabled (input & output)

• Secret isolation enforced

• Audit export and retention configured

• Egress allowlists configured (enterprise deployments)

• Revocation list refresh configured (if using signed skills)