Skip to content

Enforce Boundaries

Caracal’s trust model depends on clear boundaries. Do not blur runtime lifecycle, product management, token issuance, protected-resource routing, and audit evidence.

BoundaryTrusted sideUntrusted or constrained side
Runtime CLILocal lifecycle and caracal run configProduct-management state and admin actions.
Console/Admin APIAuthenticated operators and Control/Admin clientsAnonymous clients and expired/insufficient tokens.
STSValid application credentials, policy/grant/session stateMalformed subject tokens, invalid client secrets, unsatisfied step-up.
GatewayVerified inbound mandate, configured binding, revocation-fresh stateArbitrary upstream URLs, path traversal, replayed/expiring tokens.
AuditHMAC-verified stream events and append-only database roleTampered stream payloads or mutable evidence.
RedisSigned operational messagesUnsigned or mismatched stream messages in published modes.
PostgresService roles and fail-closed RLSCross-zone reads without zone context.
ControlEnabled gate, verified JWT, replay-safe JTI, rate limitDisabled gate, replayed tokens, unsupported commands.

Gateway denies before upstream dispatch when:

  • bearer token is missing, malformed, too large, expiring, revoked, replayed, or signature-invalid;
  • X-Caracal-Resource is missing;
  • no binding exists for the token zone and resource;
  • path traversal is detected;
  • STS exchange fails or the STS circuit is open;
  • upstream host safety rules reject the destination.

Control is optional. It requires a gate file, JWKS-backed JWT verification, replay protection, rate limits, and an API token for dispatch. It must not be exposed as a top-level runtime CLI command.