Skip to content

Security and Fail Closed

Frank Yglesias Bertheau edited this page Jul 7, 2026 · 1 revision
<h1>ᚾ&nbsp;NornGate — Security &amp; Fail-closed</h1>

Security is not bolted onto the runtime; it is the runtime. Two invariants do the work: default-deny (nothing acts without an explicit permit) and deterministic pre-execution gating (the allow/deny decision is a pure, reproducible function computed before any side effect). This page is how those hold — and, stated plainly, where they don't.


ᛉ Fail-closed & default-deny

An action proceeds only if a gate returns an explicit ALLOW. Every other outcome resolves to denial.

Gate result Verdict
explicit ALLOW pass to next gate
explicit DENY stop, log
timeout / no decision returned stop, log — fail-closed
evaluator error / policy store unreachable stop, log — fail-closed
unknown identity / unknown resource stop, log

Design references. Deterministic-rules-over-LLM-judgment and credential starvation — Assury. Signed, hash-chained action records — Kaman. Fail-closed governance at execution time — Orloj. Action-preparation separated from execution — ZephMatrix. Rune meanings follow the Elder Futhark tradition; naming doctrine follows the Prose Edda and Poetic Edda.

ᚾ NornGate — Security & Fail-closed

Security is not bolted onto the runtime; it is the runtime. Two invariants do the work: default-deny (nothing acts without an explicit permit) and deterministic pre-execution gating (the allow/deny decision is a pure, reproducible function computed before any side effect). This page is how those hold — and, stated plainly, where they don't.


ᛉ Fail-closed & default-deny

An action proceeds only if a gate returns an explicit ALLOW. Every other outcome resolves to denial.

Gate result Verdict
explicit ALLOW pass to next gate
explicit DENY stop, log
timeout / no decision returned stop, log — fail-closed
evaluator error / policy store unreachable stop, log — fail-closed
unknown identity / unknown resource stop, log

Why this direction. The alternative — fail-open — means an outage in the policy store silently converts a locked-down fleet into an open one, at the exact moment you are least able to observe it. Fail-closed makes the failure mode loud and safe: work stops, and the stop is recorded. Governance is evaluated fail-closed at execution time, not treated as advisory (the same stance Orloj enforces in its runtime).

The default-deny choice (allowlist, not denylist) is argued on [Home](Home) via Baldr: the one permit you forget to forbid is the one that kills you, so a forgotten rule must fail safe (denied), not fatal (allowed).

The honest cost — fail-closed trades availability for safety — is addressed in Fail-closed and availability, below.


ᛁ Deterministic gating

A gate verdict is a pure function of three inputs captured at evaluation time:

verdict = f(request, policy_snapshot, state_snapshot)

Given the same three, the verdict is always identical. That is what makes every decision reproducible, and therefore auditable: you can replay a historical request against its recorded snapshots and obtain the same verdict.

Precision. Determinism is over (request + policy + state)not over the request alone. The same request evaluated against changed policy or changed resource state can legitimately flip ALLOW → DENY. Any claim that "the same input always yields the same verdict" is wrong unless policy and state are pinned, which is why each gate records the snapshot identifiers next to the verdict.

Automated consent is rule-based, never model-judged. G2 may grant consent automatically, but that decision is evaluated by deterministic policy — never by an LLM. Putting a model inside the trust decision reintroduces exactly the surface the gates exist to remove: an LLM policing an LLM is itself jailbroken by prompt injection. NornGate adopts Assury's position here — deterministic rules over LLM-judged governance.


ᚦ Total mediation

The gates are only as strong as their coverage. "NornGate governs the execution boundary" is true only if every side-effecting path is routed through Yggdrasil. A single un-mediated path — a tool with its own egress, a cached credential, a direct socket out of the sandbox — voids all five gates for that path.

Two requirements make mediation structural rather than aspirational:

  1. No un-brokered egress. The G3 sandbox has no direct network path to production or the public internet. Every outbound call re-enters the pipeline as a brokered request. An action that could reach the world from inside the sandbox would defeat G3 by definition.
  2. Credential starvation — next.

ᚠ Credential starvation

Agents never hold raw credentials. Keys, tokens, and secrets stay in the gateway (Asgard control plane) and are injected only into an approved, committed action at G4 — never handed to the agent or into the sandbox.

Why. If an agent holds a live credential, it can act off-path — bypassing G0–G4 — and no gate can stop it. Starving the agent of credentials makes the pipeline the only way a credential can be used: mediation becomes a property of key custody, not a policy the agent is trusted to respect. Assury names this credential starvation and treats it as the mechanism that makes governance non-optional; NornGate's three [Credential Models](Credential-Models) — pooled, BYOK-vaulted, sovereign IAM-role — all keep custody in the gateway for exactly this reason.

This is also why "framework-agnostic" is safe to claim: the control does not live in your agent code (which may be wrong or hostile) — it lives in who holds the keys.


ᛈ The Urd ledger — integrity of a centralized log

Urd is a centralized, append-only ledger — a single operator-run log, not a distributed or on-chain one. Centralization is deliberate (low write latency, no consensus overhead, simple operations) and it fixes the integrity model precisely:

  • Tamper-evidence via a signed hash chain. Each record carries the hash of its predecessor plus an Ed25519 signature; any insert, delete, or edit breaks the chain and fails verification. Urd is therefore tamper-evident.
  • Tamper-evident is not tamper-proof. A centralized ledger is only as trustworthy as its signing key. If that key lived on the node that writes records, an operator — or an attacker holding that node — could forge a self-consistent chain. So the signing key is held in a separate trust domain: an HSM in the Asgard control plane, off the worker/app path. A compromised Midgard or Jotunheim node cannot forge Urd entries.
  • Verifiable receipts. Each G4-verified outcome emits a signed receipt a tenant can verify independently against Urd's public key. This is what makes per-outcome billing defensible: the customer can prove an outcome occurred and so can you, without either side trusting the other's word.

The integrity bar is Kaman's signed, hash-chained action records. NornGate meets the signing/chaining bar but keeps it centralized rather than anchoring chain heads externally — trading an independent third-party anchor for operational simplicity. If you later need non-repudiation against NornGate-the-operator, periodic external anchoring of the chain head is the additive step, not a redesign.

GDPR — immutable chain, erasable payload

An immutable ledger and the right to erasure only look contradictory; separate the layers:

  • The hash chain and metadata are immutable — predecessor hashes, gate, verdict, timestamps, snapshot IDs. These carry no personal data.
  • PII-bearing payloads are crypto-shreddable. Fields that can contain personal data — e.g. the plaintext reason in an audit record — live in a separate payload store, encrypted per data-subject. Erasure deletes the key (crypto-shredding); the payload becomes unrecoverable while the chain stays intact and still verifies.

So Urd is immutable as a proof structure and erasable as a data store — the two claims describe different layers, not a contradiction.


ᚺ Fail-closed and availability

Stated plainly: fail-closed plus a single blocking spine (Yggdrasil) is an availability liability. A control-plane outage stops side effects fleet-wide, and every request pays the sum of gate latencies serially. Two mitigations keep the cliff from becoming a business risk:

  • Latency budget. The G0→G4 path carries a target budget so gating cost is bounded and observable; a gate that exceeds its budget trips the fail-closed timeout rather than hanging the request.
  • Graded degraded mode. When the control plane is impaired, NornGate does not choose blindly between "deny all" and "allow all." Read-only, low-risk, or already-pre-authorized actions may continue under a cached policy snapshot; anything needing fresh G1/G2 evaluation denies. Degradation is by risk class, and the mode change is itself written to Urd.

This is the deliberate inverse of a "never block inference" design (Kaman's principle, where cross-cutting concerns fire-and-forget over a bus). NornGate blocks on purpose — the blocking gate is the product — so it owns the latency and availability story rather than hiding it.


ᛏ Threat model — scope

Defends against: an agent (buggy, prompt-injected, or hostile) taking an unauthorized side effect; off-path action via a leaked credential; silent policy bypass during an outage; undetectable audit tampering; two agents corrupting a shared resource through a write race.

Assumes / requires: every side-effecting path is routed through Yggdrasil (total mediation); the Asgard control plane and its HSM sit in a trust domain distinct from workers; policy is authored correctly — NornGate enforces the policy you write, it does not verify that your policy expresses your intent.

Out of scope: the correctness of the model's reasoning (NornGate governs actions, not thoughts); exfiltration through an approved action's own legitimate output channel (a policy-authoring problem — constrain the action); supply-chain integrity of the agent code itself.


Iconography

Section glyphs are Elder Futhark runes (Unicode Runic block, U+16A0–U+16FF) — not emoji. Full set on [Home](Home#iconography); the runes used here:

Rune Name Gloss Marks
Nauðiz need, necessity, constraint the platform mark
Algiz protection, defense, warding fail-closed & default-deny
Isa ice — the fixed, the immovable deterministic gating
Thurisaz thorn, gateway, warding force total mediation
Fehu movable wealth, guarded property credential starvation
Perthro the lot-cup, the well of Urd the Urd ledger
Hagalaz hail, disruption, the crisis endured fail-closed and availability
Tiwaz Týr — order, justice, the guardian threat model

Design references. Deterministic-rules-over-LLM-judgment and credential starvation — Assury. Signed, hash-chained action records — Kaman. Fail-closed governance at execution time — Orloj. Action-preparation separated from execution — ZephMatrix. Rune meanings follow the Elder Futhark tradition; naming doctrine follows the Prose Edda and Poetic Edda.

Clone this wiki locally