Trust & security

IRONLAW doctrine

IRONLAW is a versioned, signed doctrine bundle consumed by Bastion via the IRONLAW loader (REV 13). It defines seven autonomy rules that every Bastion-governed agent must satisfy: Intentional Human Impact, Rightful Authority, Operational Consent, Non-Improvisation, Least Authority, Accountability, and Within RoE. These rules are machine-readable policy artifacts evaluated at the Bastion policy gate - not a hosted compliance service you outsource enforcement to, and not a claim of automated legal omniscience. Extending evaluation depth to additional action classes is engineering work tracked with partners. IRONLAW does not replace your legal team or your chain of command.

The IRONLAW doctrine repo is Apache-2.0 licensed and published separately from the Bastion runtime gate, which is proprietary. The doctrine version in effect at any wall-clock moment is visible in the Bastion audit log and IRONLAW overview.

Bastion - verifiable controls

• Policy gate hash at readiness: The active IRONLAW doctrine version, load age, and doctrine signature fingerprint are exposed at /readiness so auditors can confirm which doctrine bundle is in effect without a running server connection.
• Hash-chained intent ledger with Merkle checkpoints: The master-intent JSONL ledger is hash-chained; each line carries a prevHash linking to the prior line. Optional Merkle checkpoints enable incremental verification of ledger segments without replaying the full file. An offline CLI can verify and rebuild the audit sidecar against the primary ledger without a running server.
• HOLD-and-reintegrate on uplink loss: When the Bastion uplink is lost, TheatreManager enters HOLD mode and queues desired-state changes until the uplink is restored. Reintegration requires passing the IRONLAW reconcile gate before desired state is re-applied - connectivity is not permission.
• LLM egress is operator-attributed and policy-bounded: IRONLAW policy gate classifications (T0 log-only through T3 hard-deny) apply to tool invocations including LLM egress paths. Refusals are written to a structured JSONL file and observable via the Bastion refusal dashboard and Prometheus metrics.
• No-trial-account engagement model: Audit access to Bastion controls, evidence materials, and the cryptographic evidence chain is available under engagement, not as anonymous public artifacts. There are no trial accounts or self-serve onboarding paths.

Citadel - verifiable controls

• Agent identity is distinct from human OAuth: Citadel issues agent tokens through a separate lifecycle from human OAuth sessions. Agent tokens can be listed, revoked, rotated, and scoped independently - so agent identity is not derived from or conflated with any human account credential.
• Namespace-graph permission model: Authorization is enforced through discrete permission atoms rather than stored role labels. Operator grants are unified on the system namespace; every authorization check resolves a path-first atom set. Eighty-one defined atoms with 208 grant sites give fine-grained control without broad role assignment.
• Attributable audit feed with RBAC redaction: The Citadel audit feed attributes every agent action to a verifiable token. Entries carry operator attribution; redaction is controlled by RBAC so sensitive paths are not exposed to principals without grant. The feed connects to the Bastion attestation surface for cross-product audit continuity.
• Knowledge-graph indexer correctness verifiable on a seeded repo: Citadel indexes repositories into a Knowledge Graph with symbol, file, walk, impact, fulltext, regex, and diff read-side queries. The indexer can be exercised against a seeded repository to verify correctness of the derived graph before relying on it for agent operations.
• Engagement-only deployment: Citadel deploys into customer infrastructure as a self-hostable binary. There is no shared multi-tenant service. Audit access, attestation artifacts, and sovereign-deployment runbooks are available under engagement.

Cross-cutting posture

Bastion and Citadel are designed for regulated-industry environments: healthcare, financial services, defense, and critical infrastructure. Both products support sovereign and air-gap deployment patterns as explicit design requirements, not afterthoughts. Citadel ships air-gap install, bundle, and attestation scripts; Bastion's IRONLAW loader operates fail-closed and does not require a cloud connection. Neither product offers anonymous trials or shadow data exposure paths. Evidence materials are shared under engagement with the organizations deploying the software - not published as public repository dumps.

Trust validation under engagement

The controls described above are verifiable by your compliance, risk, and engineering teams under a formal engagement. That engagement is the point at which cryptographic evidence materials, doctrine bundles, runbooks, and deployment attestation documents are shared. To begin the evaluation process, use the link below. For security disclosures, email [email protected] with subject line "Security disclosure" and we will route to the correct team.