Index
Security & Resilience¶
This section centralizes all security, safety, and recovery documentation.
Mobius is integrity-first. This folder is where that commitment becomes operational.
Contents¶
Core security documentation (to be populated/moved in Phase 2):
Root Level¶
threat-model.md— Security architecture and attack surfaces (existing)security-policies.md— Security standards and requirementsincident-response.md— What to do when security events occurRECOVERY_PLAYBOOK.md— Disaster recovery procedures (existing)security-audit-log.md— History of security reviews
guardrails/¶
anti-nuke-guardrails.md— Deletion protection systemsintegrity-gates.md— GI-based safety thresholdsrate-limiting.md— Abuse preventioninput-validation.md— Data sanitization rules
policies/¶
access-control.md— Who can do whatdata-retention.md— What we keep and whyencryption-standards.md— At-rest and in-transit encryptionkey-rotation.md— Cryptographic key management
monitoring/¶
security-metrics.md— What we measurealerting.md— When and how we notifyaudit-logs.md— Immutable event recordsanomaly-detection.md— Identifying unusual patterns
Core Security Principles¶
1. Integrity Gates
All operations must maintain GI ≥ 0.95. Below this threshold: - Route to human-in-the-loop review - Decline automated action - Log for analysis
2. Anti-Nuke Guardrails
Protection against destructive changes: - PR blocked if deletes >5 files or >15% of codebase - Protected paths in apps/, packages/, sentinels/, labs/ - Force-push prevention on main branch - Automated checks via .github/workflows/anti-nuke.yml
Implemented after near-nuke incident — see RECOVERY_PLAYBOOK.md.
3. Cryptographic Attestation
All critical operations are cryptographically signed: - Ed25519 signatures for MII attestations - Deliberation Proofs from Thought Broker - Civic Ledger immutability
4. Defense in Depth
Multiple security layers: - Citizen Shield — Network perimeter security - Shield Policies — Rate limits and input validation - Sentinel Review — AI-based anomaly detection - Human Oversight — 25% of governance flow - Audit Logs — Complete operation history
5. Privacy by Design
- Bio-DNA requires explicit consent - Minimal data collection - No surveillance capitalism - User controls their own data
Current Security Status¶
| Component | Status | Last Audit | Notes |
|---|---|---|---|
| Citizen Shield | ✅ Active | C-145 | Network security + IDS |
| Anti-Nuke Guards | ✅ Active | C-140 | Deletion protection |
| MII Signatures | ✅ Active | C-145 | Ed25519 attestations |
| Integrity Gates | ✅ Active | C-147 | GI ≥ 0.95 enforcement |
| Threat Model | ✅ Complete | C-146 | Comprehensive review |
| Penetration Test | 📋 Planned | - | Q1 2026 |
Recovery Procedures¶
If something goes wrong:
- Assess Impact — What broke? Who's affected?
- Consult RECOVERY_PLAYBOOK.md — Follow documented procedures
- Use
git revert— Preserve history (Kintsugi principle) - Notify Stakeholders — Transparent communication
- Write Incident Report — Learn and improve
- Update Guardrails — Prevent recurrence
Preferred Recovery Method: git revert (preserves history)
Last Resort: Hard reset to known-good commit
Reporting Security Issues¶
DO NOT open public GitHub issues for security vulnerabilities.
Instead: 1. Email security@mobius-systems.org (to be set up) 2. Use GPG key for sensitive reports 3. Allow 24-48 hours for initial response 4. Coordinate disclosure timeline
Responsible disclosure earns MIC rewards.
Security Audits¶
Mobius undergoes regular security reviews:
- Internal Audits — Quarterly sentinel-based code review
- External Audits — Annual third-party assessment (planned)
- Community Audits — Bug bounty program (coming soon)
- Peer Review — Academic security analysis
See 08-research/peer-review-response.md for latest findings.
Compliance & Standards¶
Mobius aims for:
- OWASP Top 10 — Protection against common web vulnerabilities
- CIS Benchmarks — Infrastructure hardening
- NIST Cybersecurity Framework — Security management
- ISO 27001 — Information security management (future goal)
Relationship to Other Sections¶
- See
02-architecture/components/citizen-shield.mdfor security architecture - See
03-specifications/cryptography/for cryptographic specs - See
06-operations/monitoring/for security monitoring
Cycle C-147 • 2025-11-27
"We heal as we walk."