---
title: "Enforce Boundaries"
url: "https://docs.caracal.run/architecture/trust-boundaries/"
markdown_url: "https://docs.caracal.run/markdown/architecture/trust-boundaries.md"
description: "Security boundaries between users, runtime CLI, Console, Control API, services, storage, and upstreams."
page_type: "architecture"
concepts: []
requires: []
---

# Enforce Boundaries

Canonical URL: https://docs.caracal.run/architecture/trust-boundaries/
Markdown URL: https://docs.caracal.run/markdown/architecture/trust-boundaries.md
Description: Security boundaries between users, runtime CLI, Console, Control API, services, storage, and upstreams.
Page type: architecture
Concepts: none
Requires: none

---

Caracal’s trust model depends on clear boundaries. Do not blur runtime lifecycle, product management, token issuance, protected-resource routing, and audit evidence.

## Boundary Map

| Boundary | Trusted side | Untrusted or constrained side |
| --- | --- | --- |
| Runtime CLI | Local lifecycle and `caracal run` config | Product-management state and admin actions. |
| Console/Admin API | Authenticated operators and Control/Admin clients | Anonymous clients and expired/insufficient tokens. |
| STS | Valid application credentials, policy/grant/session state | Malformed subject tokens, invalid client secrets, unsatisfied step-up. |
| Gateway | Verified inbound mandate, configured binding, revocation-fresh state | Arbitrary upstream URLs, path traversal, replayed/expiring tokens. |
| Audit | HMAC-verified stream events and append-only database role | Tampered stream payloads or mutable evidence. |
| Redis | Signed operational messages | Unsigned or mismatched stream messages in published modes. |
| Postgres | Service roles and fail-closed RLS | Cross-zone reads without zone context. |
| Control | Enabled gate, verified JWT, replay-safe JTI, rate limit | Disabled gate, replayed tokens, unsupported commands. |

## Gateway Fail-Closed Checks

Gateway denies before upstream dispatch when:

- bearer token is missing, malformed, too large, expiring, revoked, replayed, or signature-invalid;
- `X-Caracal-Resource` is missing;
- no binding exists for the token zone and resource;
- path traversal is detected;
- STS exchange fails or the STS circuit is open;
- upstream host safety rules reject the destination.

## Control Boundary

Control is optional. It requires a gate file, JWKS-backed JWT verification, replay protection, rate limits, and an API token for dispatch. It must not be exposed as a top-level runtime CLI command.

## Related Pages

- [Harden Production](/operations/tls-hardening/)
- [Automate Management](/services/control/)
- [Protect Upstreams](/services/gateway/)
