AIARCOASC Docs

Security model

Defence in depth: identity → network → compute → storage → keys → audit.

What it is

Security at AIARCO is layered: any single failure must not lead to a tenant breach. Six layers, in order:

  1. Identity — every request is authenticated, every action authorised by scope.
  2. Network — TLS 1.3 only on the control plane, mTLS between control plane and workers, per-project CORS allow-list and optional IP allow-list.
  3. Compute — VM-grade isolation for sandboxes; per-GPU isolation for inference; kernel-hardened nodes; signed base images.
  4. Storage — tenant-scoped key namespace; AES-256-GCM at rest; KMS-backed envelope keys; optional BYOK.
  5. Keys — short-lived JWTs for browsers, scoped API keys for machines, immediate revocation, audit on every read.
  6. Audit — every state-changing call logged with actor, IP, request-ID and resource ID. 365-day hot retention.

Plus a supply-chain floor: builds run on SLSA-3 builders; every base image is signed; SBOM published per release.

Quickstart

# Verify a build's SLSA provenance
asc supply-chain verify ghcr.io/aiarco/asc-runtime:2026.5
client.audit.events.list(actor='alice@example.com', since='-24h')
await client.audit.events.list({ actor: 'alice@example.com', since: '-24h' });