SecureFabric Core

Production-grade cryptographic messaging and orchestration platform.

Contents

• node/: Tonic gRPC server, TLS/mTLS, signature verification, nonce/replay policy, WAL (encrypted), metrics
• core/: Crypto/key management primitives, helpers, shared logic
• proto/: Protobuf definitions
• deploy/: Docker and Kubernetes manifests
• scripts/: Build, release, and verification scripts
• tests/: Unit, integration, and E2E tests

Build

# Development build
cargo build -p securefabric-node

# Release (optimized)
cargo build -p securefabric-node --release

Test

# All tests
cargo test --workspace

# Integration tests only
cargo test --test integration

# With logging
RUST_LOG=debug cargo test

Release Artifacts (multi-arch)

Artifacts are created by CI (see .github/workflows/release.yml) or locally:

./scripts/build-release.sh            # builds all targets
./scripts/sign-release.sh             # signs with cosign or gpg
./scripts/sbom.sh                     # generates SBOM

Outputs:

dist/
  securefabric-node-macos-arm64.tar.gz
  securefabric-node-linux-amd64.tar.gz
  securefabric-node-linux-arm64.tar.gz
  securefabric-node-windows-amd64.zip
  SHA256SUMS
  SHA256SUMS.sig
  SBOM.json
  provenance.intoto.jsonl (optional)

Security

• AEAD: ChaCha20-Poly1305 for message encryption
• Signature verification: Ed25519 (verify on ingress)
• Nonce/replay: 24-byte nonces + per-key monotonic counters; replay cache
• WAL: Encrypted + zeroization + rotation policy
• TLS/mTLS: Rustls; TLS on by default
• Auth: Bearer token (constant-time compare), optional mTLS-only mode
• Limits/backpressure: Per-connection limits, bounded queues, rate limiting

Deployment

For local development and testing, SecureFabric can be deployed using Docker or Kubernetes manifests:

Docker

cd deploy/docker
docker-compose up -d

Kubernetes

kubectl apply -f deploy/k8s/

For production deployment, refer to the deployment guides in the project documentation.

Monitoring

• Metrics: Prometheus endpoint at /metrics on port 9090
• Health: /health endpoint
• Logs: Structured JSON logging via tracing-subscriber

Releases & Signing

See RELEASES.md for procedures, signatures, checksums, and SBOM generation.

Development

Prerequisites

• Rust 1.75+
• protoc (protocol buffers compiler)
• Docker (for testing)

Local Development

# Run node locally
cargo run -p securefabric-node -- --config dev.toml

# Watch for changes
cargo watch -x 'run -p securefabric-node'

# Run with TLS
cargo run -p securefabric-node -- \
  --cert certs/server.crt \
  --key certs/server.key

Performance

• Throughput: ~10,000 messages/sec (single node, local SSD)
• Latency: p50: 1-2ms, p99: 5-10ms
• Memory: ~10-50MB baseline + 1KB per subscriber

Roadmap

• Multi-node clustering with Raft consensus
• Automatic peer discovery
• Message routing and sharding
• Key rotation and HSM integration
• Observability dashboard

License

SecureFabric Core is open-sourced under the Apache-2.0 License. This license applies to the cryptographic messaging core and node implementation.

Enterprise deployment tooling, managed service offerings, and commercial support are provided separately and are not part of this repository.