GNX Identity-to-Execution Logic Engine · Enterprise Review Document

GNX Identity-to-Execution Logic Engine — Threat Model

Product Definition

GNX Identity-to-Execution Logic Engine binds input, identity, display state, session proof, and execution authority into a verifiable evidence chain. It blocks unconditional execution by fail-closed control.

This product is not an IAM replacement. It is an execution evidence gate attachable before or after IAM, API Gateway, AI Agent Runtime, telecommunications fraud-defense systems, or financial security systems.

Core Assets

| Asset | Description | Protection Requirement |

|---|---|---|

| WNS receipt | Evidence that string input was committed | Integrity, non-forgery |

| WNS fingerprint | Deterministic HMAC evidence derived from normalized input | Integrity, no plaintext reversal |

| Bident session cookie | Session proof bound to ZKV identity verification | Confidentiality, replay resistance |

| Display lock | Evidence that target display/session state is ready | Integrity, short TTL, nonce replay prevention |

| Execution handle | One-time opaque authority handle | Confidentiality, one-time use, audience binding |

| Audit hash chain | Event receipt, prev_hash, event_hash | Tamper evidence |

| Admin session | Signed challenge-based admin access | No raw token, short TTL |

| Secrets | HMAC, cookie, audit, attestation, admin challenge secrets | Confidentiality, rotation capability |

Trust Boundaries

| Boundary | Input | Control |

|---|---|---|

| Public browser to API | JSON requests, cookies | CORS, CSRF, rate limit, validation |

| API to PostgreSQL | Evidence persistence | Parameterized SQL |

| API to Redis | Sessions, nonces, one-time handles | TTL, replay keys |

| Nginx to Engine | Reverse proxy | Engine bound to 127.0.0.1 |

| Admin client to API | Signed challenge | Public-key verification, admin session cookie |

| Customer system to execution API | Target/action/audience | WNS receipt, Bident, display lock, nonce |

Threats and Controls

| Threat | Attack | Control | Residual Risk |

|---|---|---|---|

| WNS forgery | Submit fake WNS receipt | DB lookup for committed receipt | DB compromise could alter receipts |

| Raw string leakage | Store or return raw input | HMAC fingerprint, plaintextRetained:false | Logs must remain scrubbed |

| Session replay | Reuse stolen Bident cookie | HttpOnly, Secure, SameSite, Redis TTL | Active cookie theft remains severe |

| CSRF | Cross-site state-changing request | X-GNX-CSRF, cookie binding, Origin check | XSS on allowed origin remains severe |

| Display replay | Reuse display nonce | Redis NX nonce key with TTL | Redis compromise weakens replay protection |

| Execution replay | Reuse nonce or handle | Nonce NX key, one-time Redis handle, DB used_at | Race testing under load still required |

| Raw tunnel ticket exposure | Return bearer ticket | One-time opaque executionHandle only | Handle remains sensitive during TTL |

| Public vault abuse | Internet token issuance | Public vault removed, 410 response | Admin domain must remain protected |

| Admin token leakage | Raw admin token in response | No raw admin token, signed challenge cookie | Private key handling remains critical |

| Audit tampering | Modify audit rows | prev_hash/event_hash chain | DB superuser can still rewrite unless externally anchored |

| Rate abuse | Credential or execution flooding | Redis route-class rate limit | Distributed attacks require WAF/IP reputation |

| API discovery | Scanner probes | Fail-closed 404/410 and Nginx controls | WAF still required |

| IAM mispositioning | Buyer treats product as IAM replacement | Non-claim boundary in API/docs | Sales collateral must stay consistent |

Required Negative Tests

• Register without CSRF must fail.
• Execution authorize without Bident must fail.
• Execution authorize without WNS must fail.
• Execution authorize without display lock must fail.
• Display nonce replay must fail.
• Execution nonce replay must fail.
• Execution handle reuse must fail.
• Public vault endpoint must return 410.
• Old policy endpoint must return 410.
• Audit receipt must be readable and hash chained.

Current Status

• Security acceptance baseline: PASS.
• Admin signed challenge: PASS.
• WNS-bound execution gate: PASS.
• One-time opaque execution handle: PASS.
• Public vault removed: PASS.
• Raw admin token returned: false.
• Raw tunnel ticket returned: false.

Open Items Before Enterprise Production-Ready Claim

1. AWS WAF or equivalent WAF deployment.

2. WebAuthn/passkey or mTLS enhancement if required by customer security review.

3. Evidence verification CLI.

4. Backup/restore runbook.

5. Incident response runbook.

6. External audit hash anchoring option.

Domain Architecture Policy

logicnoid.co.kr 루트 도메인은 현재 EC2 A 레코드 기반의 직접 랜딩 표면으로 유지한다.

엔터프라이즈 검증에 필요한 www, api, admin, verify, docs 표면은 CloudFront 및 AWS WAF 경유로 운영한다.

루트 도메인의 CloudFront 일원화는 Route 53 Alias 또는 Gabia의 ALIAS/ANAME 지원 여부에 따라 후속 전환한다.