README §2 used to list security categories ("network isolation",
"TLS tunnel", "authentication", "audit logging", "YAML signing")
without configs. Customers deploying to a real fab can't act on
bullet points — they need files to drop in and paths to verify.
SECURITY.md replaces the bullets with:
- nftables ruleset locking the HSMS + Prometheus + SSH ports to
known source IPs (with the test command to lint before reload)
- Kubernetes NetworkPolicy equivalent for pod deployments
- stunnel.conf for equipment side (terminator) AND MES side
(initiator), with mTLS, TLS 1.3 minimum, and bind-127.0.0.1
pattern so the cleartext socket never sees the network
- minisign-based YAML config signing: keygen, sign-at-deploy,
systemd ExecStartPre verification. Refuses to start on bad sig.
- Audit logging JSON schema for SIEM ingest, with one-line example
per frame and the structured-dispatch wrapper to emit it
- SIEM alert thresholds: S9F rate, distinct source IPs, TLS
handshake failures, signature-verify failures, spool depth,
T-timer expiry counter
- Secrets handling: stunnel keys + minisign signing key custody
- Incident response capture protocol (tcpdump, journal snapshot,
no-restart-until-captured) + reporting-back format
Every section has a runnable example. Nothing here is invented
under pressure during an incident.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>