Security is a property of the lease primitive.

What we protect

Threat model in one paragraph.

Tenura assumes a multi-tenant fabric where some tenants are mutually distrustful and the operator of the fabric is trusted but not infallible. We design for: token theft, replay attempts, partition-induced state divergence, failed teardown after revocation, and key compromise on an individual node. We do not promise to defend against a tenant that compromises the host kernel of a node it has been granted access to — but the lease's blast radius is bounded by the scope and TTL of its capability.

Properties

Six guarantees that fall out of the design.

Short-lived capabilities.

Every capability token has a TTL of 300 seconds or less. Long-lived secrets are not the unit of access. A leaked token expires before it can be meaningfully redistributed.

Audience binding.

Tokens authorize a specific holder against a specific node, lease, and epoch. They are not transferable across nodes or leases. A token that escapes a node won't open another.

mTLS by default.

The control plane is QUIC with mutual TLS. There is no plaintext mode to opt in or out of. Both the client and the daemon must present certs from the fabric CA; the CA is rooted at a key the operator controls.

Deterministic teardown.

When a lease expires or is revoked, the data plane is torn down. If teardown fails, the affected resource enters a FENCED state — no new lease can land on it until an operator clears the fence. Cleanup is enforcement, not hope.

Hash-linked audit chain.

Lease lifecycle, preemption, and admission events are sealed into a SHA-256-linked chain. Each record's hash is computed over canonical bytes that include the previous record's hash; tampering with one record breaks the chain at ingest. The 32-byte head pointer lives in the daemon's narrow durable surface and is persisted across restarts.

Replay protection.

Every signed control-plane message carries a nonce and a timestamp. The replay cache rejects duplicates within the lookback window. Unsigned frames are rate-limited; signature verification happens before any decompression or deep parsing.

Custody

Where keys live.

The fabric CA root key is held by the operator. Per-node identity keys are minted at bootstrap and never leave the node — they sign ANNOUNCE / WITHDRAW / REVOKE_BROADCAST messages and prove identity to peers. Tenant client certificates are issued by the operator's CA via grafos admin issue-cert; the CA can revoke at any time and revocation propagates over the same QUIC control plane.

The audit-log signing key is named in the custody matrix per process: the daemon signs lease lifecycle events, the scheduler signs preemption and admission events. Keys are rotated by epoch; old keys remain valid for verification of historical records but cannot sign new ones.

Compliance

What we claim — and what we don't.

Tenura is in private beta. We do not claim any third-party certifications today. The security model documented above is what is implemented and shipping; if a customer requires SOC 2, ISO 27001, or HIPAA evidence, talk to us about timelines.

We can provide a security review document, the threat model, and read-only access to the audit chain for any pilot. Customers running self-hosted retain operational control of their own keys, audit logs, and infrastructure.

Going deeper

Read the spec.

The wire protocol, lease state machine, and capability-token format are documented in the open fabricBIOS specification. The reference Rust implementation is source-available; security-relevant changes are called out in the changelog.