ai-agent/symphony-ai-agent/security/security-requirements.md

Security Requirements

Authentication

1. All authentication must use TLS 1.3 with modern ciphers (AES256-GCM, CHACHA20)
2. Client certificate pinning required (SHA-256 fingerprints)
3. Signed OU claims for role mapping (HMAC-SHA256)

Authorization

1. Role-Based Access Control (RBAC) with:
   • Role inheritance hierarchy
   • Permission composition
   • Boundary enforcement (GLOBAL, INTERNAL, RESTRICTED)
2. Least privilege principle enforced
3. All privileged operations require ADMIN role

Data Protection

1. AES-256 encryption for all secrets
2. Audit logs with integrity protection (HMAC-SHA256)
3. 90-day audit log retention

New Requirements for Role Inheritance

1. Roles can inherit permissions from parent roles
2. Inheritance must respect boundary restrictions
3. Circular inheritance must be prevented
4. Admin role inherits all permissions
5. Developer role inherits basic permissions