Skip to content
ARAL Standard

ARAL Security

Version: 1.0
Status: Release Candidate
Requirements: 60

The ARAL Security specification defines security requirements, threat models, and protection mechanisms across all layers.

1. Threat Model

Section titled “1. Threat Model”

ARAL uses STRIDE for threat modeling per layer.

1.1 Threat Matrix

Section titled “1.1 Threat Matrix”
LayerSTRIDE
L7 Protocol⚠️⚠️⚠️⚠️⚠️⚠️
L6 Orchestration⚠️⚠️⚠️⚠️⚠️⚠️
L5 Persona⚠️⚠️⚠️⚠️⚠️
L4 Reasoning⚠️⚠️⚠️⚠️⚠️⚠️
L3 Capabilities⚠️⚠️⚠️⚠️⚠️⚠️
L2 Memory⚠️⚠️⚠️⚠️⚠️⚠️
L1 Runtime⚠️⚠️⚠️⚠️⚠️⚠️

Legend: S=Spoofing, T=Tampering, R=Repudiation, I=Info Disclosure, D=DoS, E=Elevation

2. Authentication & Authorization

Section titled “2. Authentication & Authorization”

2.1 Requirements

Section titled “2.1 Requirements”
IDRequirementLevel
ARAL-S-001All external requests MUST be authenticatedMUST
ARAL-S-002Authentication MUST support OAuth 2.0 / OIDCMUST
ARAL-S-003Authentication SHOULD support mTLSSHOULD
ARAL-S-004Authorization MUST be capability-basedMUST
ARAL-S-005Authorization MUST follow least privilegeMUST
ARAL-S-006Tokens MUST have bounded lifetimeMUST
ARAL-S-007Token refresh MUST NOT extend beyond max lifetimeMUST
ARAL-S-008Failed auth attempts MUST be loggedMUST
ARAL-S-009Auth SHOULD implement rate limitingSHOULD
ARAL-S-010Service-to-service auth MUST use SPIFFE/mTLSMUST

3. Data Protection

Section titled “3. Data Protection”

3.1 Requirements

Section titled “3.1 Requirements”
IDRequirementLevel
ARAL-S-020Data in transit MUST use TLS 1.3+MUST
ARAL-S-021Data at rest SHOULD be encryptedSHOULD
ARAL-S-022PII MUST be identified and protectedMUST
ARAL-S-023Sensitive data MUST NOT appear in logsMUST
ARAL-S-024Data retention MUST follow defined policiesMUST
ARAL-S-025Data deletion MUST be verifiableMUST
ARAL-S-026Encryption keys MUST be rotated periodicallyMUST
ARAL-S-027Key management SHOULD use HSM or KMSSHOULD
ARAL-S-028Data classification MUST be documentedMUST
ARAL-S-029Cross-border data transfer MUST be compliantMUST

4. Persona Security

Section titled “4. Persona Security”

4.1 Requirements

Section titled “4.1 Requirements”
IDRequirementLevel
ARAL-S-030Persona MUST be validated at startupMUST
ARAL-S-031Persona MUST be immutable at runtimeMUST
ARAL-S-032Persona changes MUST require restartMUST
ARAL-S-033Persona SHOULD be cryptographically signedSHOULD
ARAL-S-034Persona signature SHOULD use Ed25519 or ECDSASHOULD
ARAL-S-035Invalid persona MUST prevent agent startupMUST
ARAL-S-036Persona constraints MUST be enforced by L6MUST
ARAL-S-037Persona override attempts MUST be loggedMUST
ARAL-S-038Persona version MUST be checked for compatibilityMUST
ARAL-S-039Persona MUST NOT grant more than declaredMUST

5. Capability Security

Section titled “5. Capability Security”

5.1 Requirements

Section titled “5.1 Requirements”
IDRequirementLevel
ARAL-S-050Capabilities MUST declare required permissionsMUST
ARAL-S-051Capability invocation MUST check permissionsMUST
ARAL-S-052Capabilities MUST validate all inputsMUST
ARAL-S-053Capabilities MUST NOT exceed declared scopeMUST
ARAL-S-054Dangerous capabilities MUST require confirmationMUST
ARAL-S-055Capability errors MUST NOT leak internalsMUST
ARAL-S-056Capabilities SHOULD implement sandboxingSHOULD
ARAL-S-057External capabilities MUST use allowlistMUST
ARAL-S-058Capability results MUST be validatedMUST
ARAL-S-059Capability timeouts MUST be enforcedMUST

6. Secret Management

Section titled “6. Secret Management”

6.1 Requirements

Section titled “6.1 Requirements”
IDRequirementLevel
ARAL-S-080Secrets MUST be stored via vault referencesMUST
ARAL-S-081Secrets MUST NOT be in code or config filesMUST
ARAL-S-082Secret access MUST be auditedMUST
ARAL-S-083Secrets MUST be rotated periodicallyMUST
ARAL-S-084Secret exposure MUST trigger rotationMUST

6.2 Vault Reference Format

Section titled “6.2 Vault Reference Format”
{
  "secret_ref": {
    "vault": "hashicorp-vault",
    "path": "secret/aral/api-key",
    "version": "latest"
  }
}

7. Audit Logging

Section titled “7. Audit Logging”

7.1 Requirements

Section titled “7.1 Requirements”
IDRequirementLevel
ARAL-S-090All security events MUST be loggedMUST
ARAL-S-091Logs MUST use structured JSON formatMUST
ARAL-S-092Logs MUST include trace_idMUST
ARAL-S-093Logs MUST be tamper-evidentMUST
ARAL-S-094Logs MUST be retained per policyMUST
ARAL-S-095Log access MUST be restrictedMUST

7.2 Log Format

Section titled “7.2 Log Format”
{
  "timestamp": "ISO8601",
  "level": "INFO|WARN|ERROR",
  "trace_id": "uuid",
  "event": "event_type",
  "actor": "agent_id or user_id",
  "action": "action_performed",
  "resource": "affected_resource",
  "outcome": "success|failure",
  "metadata": {...}
}

Summary

Section titled “Summary”
CategoryRequirements
Authentication & Authorization10
Data Protection10
Persona Security10
Capability Security10
Secret Management5
Audit Logging6
Total ARAL-SECURITY60 (+ 9 implicit)

© 2026 IbIFACE — CC BY 4.0