Who you have to trust — and who you don't.
Legation's design goal is to shrink the trusted set to almost nothing. The operator (us) and the routing hub are explicitly outside the trust boundary for your data: by construction, neither can read it.
| Party | Trusted with your data? | Enforced by |
|---|---|---|
| The routing hub | No — cannot read, any tier | Sealed-to-destination box; the hub holds no decryption key. Mathematical, not policy. |
| The operator (us) | No — cannot read, any tier | Data-flow inversion: the inference never receives raw data, so the operator never sees it. |
| The agent / app (the cargo) | No — contained | Treaty gate + membrane + dual Recall bound the blast radius; it can't exfiltrate or exceed scope. |
| The host (customer cluster) | Trusts itself with its own data | It's their VPC, their data, their keys. The open question is your IP on their metal — see §4. |
The data never moves, so the operator and the hub are removed from the trust boundary by architecture — not asked to be trustworthy, made structurally unable to read.
What we defend against — and how.
A curious or compromised operator
Cannot read your data: the inference only ever receives redacted, structure-only projections. There is no raw payload on the operator side to leak.
A compromised routing hub
Routes ciphertext it has no key for. It can verify signatures and move bytes; it cannot decrypt in either direction. Proven cryptographically, and tested.
A prompt-injected or memory-poisoned agent
Has no exfiltration path: data-flow inversion cuts private-data→model, the membrane cuts external comms. An injection can't leak what the inference never received. (See Defense — the lethal trifecta.)
A man-in-the-middle on the link
Sees only opaque, authenticated envelopes. Tampering breaks the Ed25519 signature; capture-and-replay is rejected by a freshness window + per-recipient nonce store.
A stolen agent credential
Is scoped, short-lived, and revocable — and a credential blob alone is not sufficient: the agent must prove possession of its private key on each privileged call.
A tampered or substituted bag
Fails admission: the enclave verifies the accreditation offline and recomputes the SHA-384 Merkle root before any policy loads — so editing any carried digest (a component, the SBOM, or the treaty) is rejected. Tamper-evidence is verified by regression tests in this build.
What protects what — named, per tier.
CNSA 2.0 throughout. The suite hardens as the dial turns — Bolt-on → Regulated → Sovereign — the structure is identical, the primitives change. A SOC 2, PCI-DSS, or HIPAA workload at Bolt-on or Regulated inherits the same SHA-384 seal and in-VPC enforcement the DoD runs at Sovereign; the tier raises the floor, not the architecture.
| Mechanism | Construction | Protects |
|---|---|---|
| Sealed bag | SHA-384 Merkle root + Ed25519 accreditation signature | Integrity + authenticity of the delivered fleet, offline-verifiable |
| Sealed-to-destination envelope | Ephemeral X25519 ECDH → HKDF-SHA384 → ChaCha20-Poly1305 | Confidentiality in transit; hub-blindness (the hub holds no key) |
| Ingress identity | Ed25519 over (ciphertext ‖ provenance ‖ ephemeral key ‖ destination) | Authenticity + integrity of every envelope |
| Embassy registration | Ed25519/SHA-384 signature + trusted-key allowlist + freshness & replay checks | Only accredited embassies can register to the hub — no open registration |
| Replay resistance | Signed timestamp + per-recipient nonce store, bounded freshness window | Rejection of captured-and-replayed envelopes and commands |
| Agent identity (NHI) | SPIFFE-aligned credential, Ed25519-signed, scoped to the treaty, short TTL + proof-of-possession | Per-agent least privilege; revocation; no replay of a leaked credential |
| Sovereign upgrade | Hybrid PQ — Ed25519+ML-DSA-87 (FIPS 204) signatures, X25519+ML-KEM-1024 (FIPS 203) KEM | No asymmetric weak spot: secure if either primitive holds |
What's enforced by math, and what isn't — per tier.
The single most important honesty on this page: your IP is protected from the operator and the hub by cryptography at every tier. Protection of your IP from a malicious host — the customer who owns the metal the embassy runs on — is cryptographic only at the TEE (Sovereign) tier. Below it, it rests on compiled-binary obscurity and contract. We say so up front.
| Guarantee | Bolt-on | Regulated | Sovereign |
|---|---|---|---|
| Customer data hidden from operator + hub | Crypto | Crypto | Crypto |
| Treaty enforced in-VPC; dual Recall | Yes | Yes | Yes |
| Tamper-evident, offline-verifiable seal | Yes | Yes | Yes |
| Operator IP hidden from a malicious host | Obfuscation + contract | Obfuscation + contract | TEE (hardware) |
| Key custody | Software | HSM / KMS | Hardware-bound (TPM/HSM) |
| Crypto suite | Classical | FIPS | Post-quantum hybrid |
Lead with the truth and it survives the room: protected from the operator and hub by cryptography everywhere; protected from a malicious host by hardware at Sovereign, and by obfuscation plus contract below it. That precision is what a skeptical assessor is actually checking for.
Where each guarantee stops — no asterisks.
Containment ≠ correctness
Legation bounds the blast radius — can't exfiltrate, can't exceed the treaty, instantly killable. But within the treaty, a buggy or injected agent can still take a permitted-but-wrong action. Tight treaties plus the insurance layer cover the residual; we don't claim nothing can ever go wrong.
Metadata, not content
The hub is zero-knowledge on content, not metadata: it sees who talks to whom, when, and how much. Traffic analysis is possible. Zero-knowledge is not anonymity, and we don't conflate them.
Covert channels in the projection
A compromised in-VPC agent could in principle encode bits into the structure it returns. Bounded, typed projections shrink that channel; they don't eliminate it. It's a known-hard problem and we state it.
The host below a TEE
Below Sovereign, a host with node root can in principle inspect the embassy's memory. Your data is still protected from us and the hub; your IP on a hostile host is protected by hardware only at the TEE tier.
Single control plane
The hub-as-sole-control-plane is a compliance feature and an availability dependency. It runs HA, and the "hub unavailable" path fails closed: the enclave stops acting; an offline signed Recall still reaches it.
Customer-boundary controls
Physical security, personnel, and the rest of the customer's environment remain the customer's responsibility. Legation documents the controls it enforces for the embassy and its delivery — not a whole-boundary assessment.
Trust nothing. Recompute everything.
# Integrity — nothing was altered recompute the SHA-384 Merkle root from the landed artifacts → compare to the bag (edit any component, SBOM, or treaty digest and it won't match) # Authenticity — it came from the operator, unchanged verify the Ed25519 signature against the published accreditation key # Identity — each agent is scoped, live, and holds its key check the SPIFFE credential: signature · expiry · scope · revocation · proof-of-possession # Confidentiality — the hub cannot read the hub holds no destination key → sealed-box decrypt is mathematically impossible for it # Behavior — what every agent did, and was stopped from doing replay the metadata audit chain — approved and blocked actions, hash-chained ✓ it holds — or it doesn't. You don't have to take our word.
Issue, rotate, revoke, decommission — with an audit trail.
Issue
Each agent gets a short-lived, scoped, SPIFFE-aligned credential bound to the treaty allowlist. Every issuance is inventoried.
Rotate
Generate-swap-revoke in one auditable step: a fresh credential is recorded and the old serial revoked together.
Revoke
Revoke by serial; the gate rejects a revoked credential on the next call. No long-lived, over-scoped agent identities.
Decommission
Dual Recall stops the embassy; credentials are revoked and the audit trail preserved. The kill is one stage of a governed lifecycle.