Security / Trust
Trust posture is built on signed artifacts and local enforcement.
The security model here follows current runtime, factory, and packager contracts.
Offline verification
Runtime verifies license and product-manifest artifacts locally with public keys.
Detached license signature
Factory signs license payloads and emits license.json plus detached license.sig artifacts.
Signed delivery artifacts
Packager signs product-manifest, bundle-manifest, and bundle archive outputs.
Strict production guard
Production mode enforces strict policy flags and valid trust material before startup.
Chain of Trust
Signed delivery path across repositories
1. License issuance in Factory
Noxa-License-Factory generates and signs customer license artifacts: license.json and license.sig.
2. Bundle creation in Packager
Noxa-Packager validates license coherence, emits checksums, and signs product-manifest, bundle-manifest, and archive outputs.
3. Local verification in runtime
NOXA runtime verifies signed artifacts offline with public keys, then enforces edition and conformity policies.
Production Guard
Strict baseline
These flags are required in production target mode.
LICENSE_ENFORCEMENT_MODE=strict
BUNDLE_ENFORCEMENT_MODE=strict
PRODUCT_CONFORMITY_ENFORCEMENT_MODE=strict
PRODUCT_MANIFEST_REQUIRED=true
Diagnostics
Operational trust endpoints
GET /api/v1/admin/license/diagnostics
GET /api/v1/admin/license/product-conformity
GET /api/v1/admin/license/production-guard
GET /api/v1/admin/license/audit
Support Posture
Support scope depends on official signed artifacts
Support eligibility requires official signed artifacts plus passing runtime conformity/production-guard checks.
Modified or tampered runtime artifacts are outside support scope.
Support lifecycle policy defines Active, Maintenance, and EOL phases.
Need a security posture review for your deployment context?
We can map runtime controls, key governance, and trust diagnostics to your target environment.