GNX Identity-to-Execution Logic Engine · Enterprise Review Document

GNX Identity-to-Execution Logic Engine — Production Readiness Gate

Product Definition

**Product Name:** GNX Identity-to-Execution Logic Engine

**Contract Definition:** 입력·신원·표시상태·세션증거·실행권한을 하나의 검증 가능한 증거 체인으로 묶어, 조건 없는 실행을 fail-closed 방식으로 차단하는 실행통제 엔진.

Market Position

This product is not an IAM replacement. It is an execution evidence gate that can be attached before or after existing IAM, API Gateway, AI Agent Runtime, telecommunications fraud-defense systems, or financial security systems.

Non-Claim Boundary

• Not an Okta replacement.
• Not a Microsoft Entra replacement.
• Not a CyberArk replacement.
• Not a Ping replacement.
• Not a SailPoint replacement.
• Not a URL routing system.
• Not a simple API key system.
• Not a public vault system.

Hardening Gate

| Gate | Requirement | Current Status | Evidence |

|---|---|---:|---|

| Product Name | GNX Identity-to-Execution Logic Engine | PASS | /v1/public/product |

| Public Vault | No public vault/token issuing endpoint | PASS | 410 PUBLIC_VAULT_REMOVED |

| gnxceo fallback | No fallback admin password | PASS | clean-room build; no fallback route |

| Raw Admin Token | No raw admin token response | PASS | health/product flags |

| Raw Tunnel Ticket | No raw tunnelTicket response | PASS | opaque executionHandle only |

| CSP | Helmet CSP enabled | PASS | server.ts |

| CSRF | State-changing endpoints require CSRF | PASS | security acceptance test |

| Rate Limit | Redis route-class rate limit | PASS | server.ts |

| Policy Split | demo and production endpoints separated | PASS | /api/v1/policy/evaluate returns 410 |

| WNS Required | production execution requires WNS receipt | PASS | security acceptance test |

| Bident Required | production execution requires session proof | PASS | security acceptance test |

| Display Required | production execution requires display lock | PASS | security acceptance test |

| One-Time Handle | consume replay denied | PASS | security acceptance test |

| Audit Hash Chain | audit receipt includes prev_hash/event_hash | PASS | /v1/audit/:receipt |

| Evidence Verification CLI | receipt and chain-file verification verified | PASS | engine/tools/evidence-verifier.ts |

| Backup | operational backup created, locked, hashed, and integrity-listed | PASS | /opt/gnx/backups/i2e-20260502_061837 |

| Admin Signed Challenge | signed admin challenge operational; raw admin token not returned | PASS | tests/admin/admin-signed-challenge-test.sh |

| CloudFront | distribution deployed and origin health verified | PASS | d1v24p1yq9umag.cloudfront.net |

| AWS WAF | CloudFront Web ACL attached and public vault path blocked | PASS | gnx-i2e-cloudfront-webacl |

| DNS Partial Cutover | api/admin/verify/docs/www routed through CloudFront; origin retained as EC2 origin | PASS | Gabia DNS + d1v24p1yq9umag.cloudfront.net |

| Domain Architecture Policy | apex EC2 landing retained; www/api/admin/verify/docs operate through CloudFront and AWS WAF | PASS | docs/domain-architecture-policy.md |

| Apex CloudFront Cutover | logicnoid.co.kr apex intentionally remains EC2 A-record landing surface; Route 53 Alias or Gabia ALIAS/ANAME required for full apex CloudFront cutover | PENDING | logicnoid.co.kr |

| OpenAPI | OpenAPI 3.1 spec verified | PASS | engine/openapi/openapi.yaml |

| Threat Model | threat model verified | PASS | docs/threat-model.md |

| Runbooks | deployment, backup/restore, incident response runbooks verified | PASS | docs/*.md |

Production-ready Completion Rule

The engine may be described as **live WNS-bound execution gate verified** after the security acceptance test passes.

The engine may be described as **enterprise production-ready** only after the following are complete:

1. Security acceptance test passes.

2. OpenAPI spec complete.

3. Threat model complete.

4. Deployment guide complete.

5. Backup/restore runbook complete.

6. Incident response runbook complete.

7. Evidence verification CLI complete.

8. Admin signed challenge operational verification complete. WebAuthn/passkey or mTLS remains a future strengthening option.

9. WAF/IP reputation rule deployment complete.

10. Full negative-path test report archived.

Domain Architecture Policy

logicnoid.co.kr 루트 도메인은 현재 EC2 A 레코드 기반의 직접 랜딩 표면으로 유지한다.

엔터프라이즈 검증에 필요한 www, api, admin, verify, docs 표면은 CloudFront 및 AWS WAF 경유로 운영한다.

루트 도메인의 CloudFront 일원화는 Route 53 Alias 또는 Gabia의 ALIAS/ANAME 지원 여부에 따라 후속 전환한다.