Skip to main content
This page describes the factory’s security practice as a lifecycle discipline, in principle only. The specifics of any real deployment — which systems, which credentials, which scopes — are never published; where an operational page needs them, it says see the private registry and stops there. This page does the same.

Access is part of the bill of materials

Every unit receives the minimum access its work order justifies, scoped as narrowly as the granting system allows. That access is treated the way every other component is treated: recorded when granted, reviewed while the unit operates, and retired when the unit is decommissioned. A unit’s leash is part of what the unit is — provisioned at Deploy, never accumulated informally afterward.

Builders and products hold different keys

The factory’s recursion — its products staff its line — makes one separation non-negotiable: the credentials of builders are never the credentials of products. A unit ships with its own narrowly-scoped access, not with a borrowed copy of its assembler’s. The same firewall thinking that separates germline from soma separates the keys that shape future units from the keys a deployed unit carries.

Retirement is a gate, not a cleanup chore

The factory’s own history teaches why. Everything built in one early burst decayed within months without a single failure — including a decommissioned agent’s credential that simply sat, expired, unattended. Nothing failed; everything decayed. Staleness is this factory’s corrosion, and corrosion protection is a designed system, not a virtue. So decommission is a gated procedure with a checklist, not a fade-out: access retired — not merely rotated — obligations deregistered from the watchdogs, the retirement recorded. The plant design puts credential retirement in its Phase 0, ahead of all new work: a stale credential is a standing invitation, and revoking it outranks building anything.

Security events are red

In the andon protocol, a security event is a red signal: the affected line segment halts and the operator is paged, with a structured resolution record required before flow resumes. Security is not a review that happens to the factory occasionally; it is one of the conditions under which the line refuses to run.

Self-audit

ClaimSource
Decay evidence: decommissioned agent’s expired credential; nothing failed, everything decayed; staleness is corrosiondocs/factory-design.md:36
Credential retirement outranks new work (Phase 0: retire credentials of the decommissioned)docs/factory-design.md:263
Germline/soma firewall thinkingdocs/factory-design.md:62–65
Security event is a red andon state; red halts and pages; resolution record requireddocs/factory-design.md:213
Deployment provisions exactly the access the work order justifiesdocs/factory-design.md:97, 150 (pull + certified deploy, applied as least privilege)