Security

Elydora is designed as responsibility-grade infrastructure. Every layer of the system prioritizes cryptographic integrity, key safety, and access control.

Cryptographic Stack

• Ed25519 (RFC 8032) — All agent signatures use Ed25519 elliptic curve signatures, providing 128-bit security with fast signing and verification.
• SHA-256 — Used for payload hashing, chain hashing, receipt hashing, and Merkle tree construction.
• JWKS (RFC 7517) — Elydora's public signing keys are published in standard JSON Web Key Set format for independent verification.

Key Management

Agent Keys

Each agent has its own Ed25519 key pair. The private key is held exclusively by the agent and never transmitted to Elydora. Only the public key is registered.

• Private keys should be stored in environment variables or a secrets manager
• Never commit private keys to version control
• Rotate keys periodically by registering a new key and revoking the old one
• Use a unique key per agent — do not share keys between agents

Key Generation

# Generate an Ed25519 key pair using OpenSSL
openssl genpkey -algorithm Ed25519 -out agent_private.pem
openssl pkey -in agent_private.pem -pubout -out agent_public.pem

Elydora Server Keys

Elydora signs all Acknowledgement Receipts (EARs) and Epoch Roots (EERs) with its own Ed25519 key. The public keys are available at the JWKS endpoint.

RBAC (Role-Based Access Control)

Elydora enforces fine-grained access control with five predefined roles. Each API endpoint requires a minimum role level. See the full RBAC documentation for details.

Transport Security

• All API communication requires HTTPS (TLS 1.2+)
• HTTP requests are rejected, not redirected
• JWT tokens expire after a configurable period
• Rate limiting is enforced per organization

Replay Protection

Multiple mechanisms prevent operation replay:

• TTL enforcement — Operations must be submitted within ttl_ms of their issued_at timestamp.
• Nonce uniqueness — Each nonce is tracked per agent and rejected if reused.
• Chain hash verification — The prev_chain_hash must match the server's expected value, preventing out-of-order or duplicate submissions.

Agent Lifecycle

• Active — Agent can submit operations normally.
• Frozen — Agent is temporarily suspended. Operations are rejected with AGENT_FROZEN. Can be unfrozen.
• Revoked — Agent key is permanently invalidated. Operations are rejected with KEY_REVOKED. Irreversible.

Data Integrity

Operation records are immutable once accepted. The chain hash mechanism ensures that any modification, deletion, or reordering of records is detectable. Epoch roots provide periodic bulk verification anchors.