Security Architecture
Security Architecture
Section titled “Security Architecture”UnboundBytes implements defense-in-depth security across all layers.
Authentication
Section titled “Authentication”OIDC Integration
Section titled “OIDC Integration”- OAuth 2.0 / OIDC: All user authentication via OIDC
- RBAC: Role-based access control via JWT claims
- MFA: Multi-factor authentication support through OIDC
API Authentication
Section titled “API Authentication”- HMAC Signatures: Portal-to-orchestrator requests signed with HMAC-SHA256
- API Keys: Device-to-orchestrator authentication via scoped API keys
- Bootstrap Tokens: One-time enrollment tokens for device pairing
Transport Security
Section titled “Transport Security”mTLS and Encryption
Section titled “mTLS and Encryption”- TLS 1.3: All external traffic encrypted with TLS 1.3
- Cloudflare Tunnel: Agent-to-orchestrator communication via encrypted tunnels
- Encrypted Commands: Agent commands encrypted at rest and in transit
Application Security
Section titled “Application Security”Traefik ForwardAuth
Section titled “Traefik ForwardAuth”All self-hosted apps are protected by Traefik forwardAuth middleware. Each app declares an auth tier in its manifest:
| Auth Tier | Description |
|---|---|
gate | Full SSO via ForwardAuth (default) |
header | Trusted header-based auth |
native-oidc | App handles OIDC natively |
self-managed | App manages its own auth |
Container Hardening
Section titled “Container Hardening”Apps are assigned security profiles that control container isolation:
| Profile | Capabilities | Filesystem | Use Case |
|---|---|---|---|
strict | All dropped | Read-only | Password managers, DNS |
strict-web | All dropped | Read-only + tmp | Web-only apps |
moderate | All dropped | Writable | Apps needing disk writes |
moderate-web | All dropped | Writable + tmp | Web apps needing disk |
legacy | Minimal set | Writable | Legacy apps with special needs |
All containers drop ALL Linux capabilities by default. Resource limits (CPU, memory) are enforced per container based on the app’s resource tier.
Infrastructure Security
Section titled “Infrastructure Security”Secret Management
Section titled “Secret Management”- HashiCorp Vault as the single source of truth for all secrets
- Automated secret sync from Vault to Cloudflare Workers
- Scoped Cloudflare API tokens following least-privilege principle
- Zero-downtime secret rotation via dual-key strategy
Binary Signing
Section titled “Binary Signing”- Agent binaries signed with Ed25519
- SBOM (Software Bill of Materials) generated for each release
- Automated vulnerability scanning in CI
Monitoring and Rate Limiting
Section titled “Monitoring and Rate Limiting”- Structured logging with correlation IDs across all services
- Rate limiting on all public API endpoints (tier-based quotas)
- Circuit breaker pattern for downstream service calls
- Automated health checks and alerting