This document explains the architecture of SecureFabric, the relationship between the public SDK repository and the private node implementation, and how protocol releases flow between them.
SecureFabric uses a split repository architecture to balance open-source transparency with operational security:
Repository: NodeCube/securefabric-public
Contents:
- Client SDKs (Rust, JavaScript/TypeScript, Python)
- Protocol specifications (protobuf, API documentation)
- Example applications
- SDK documentation and guides
- Test vectors and conformance tests
License: Apache-2.0
Purpose: Enable developers to build applications using SecureFabric with fully open-source client libraries.
Repository: NodeCube/securefabric-private (restricted access)
Contents:
- SecureFabric node/server implementation
- Infrastructure and deployment code
- Operational tooling and monitoring
- Private protocol development and testing
- Production configurations
License: Proprietary
Purpose: Maintain security and operational control over the production SecureFabric network.
┌─────────────────────────────────────────────────────────────┐
│ Public Repository │
│ (securefabric-public) │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Rust SDK │ │ JS/TS SDK │ │ Python SDK │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Protocol Specifications │ │
│ │ - securefabric.proto │ │
│ │ - API documentation │ │
│ │ - Test vectors │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Examples & Documentation │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
│ Protocol Sync
│ (GitHub Releases)
▼
┌─────────────────────────────────────────────────────────────┐
│ Private Repository │
│ (securefabric-private) │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ SecureFabric Node Implementation │ │
│ │ - gRPC server │ │
│ │ - Message routing │ │
│ │ - Authentication & authorization │ │
│ │ - Cryptographic operations │ │
│ └──────────────────────────────────────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Infrastructure & Deployment │ │
│ │ - Kubernetes configs │ │
│ │ - Terraform/Ansible │ │
│ │ - Monitoring & logging │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Protocol changes originate in the private repository and flow to the public SDK repository through a controlled release process:
- Protocol changes are developed and tested in the private repository
- Changes are reviewed and approved by the protocol team
- Node implementation is updated to support new protocol features
- Integration tests verify compatibility
When ready to publish:
- Tag a release in the private repository:
v0.2.0 - GitHub workflow
sync-proto.ymltriggers automatically - Workflow packages protocol artifacts:
specs/securefabric.protoschemas/*.json(if applicable)- Relevant section from
CHANGELOG.md
- Creates a GitHub Release with artifacts
- Dispatches webhook to public repository
The public repository receives the update:
- GitHub workflow
pull-proto.ymlreceives webhook - Downloads protocol artifacts from private repo release
- Updates
/specs/proto/and/specs/schemas/ - Runs SDK codegen via
tools/sync-proto.sh - Creates a PR with title
chore(specs): sync protocol vX.Y.Z
- CI runs automatically on the sync PR
- All SDK tests must pass
- Conformance tests validate protocol compliance
- Maintainers review breaking changes
- PR is merged to
main - SDKs are updated in public package registries
Private Repo Public Repo
──────────── ───────────
Protocol │
Changes │
│ │
▼ │
Review & │
Testing │
│ │
▼ │
Tag Release ─── GitHub Release ────────────► │
v0.2.0 (Artifacts) │
│ ▼
│ pull-proto.yml
│ (workflow)
│ │
└─────── Webhook Dispatch ─────────────►│
(repository_dispatch) │
▼
Download
Artifacts
│
▼
Update Specs
│
▼
Run Codegen
(sync-proto.sh)
│
▼
Create PR
│
▼
CI Validation
│
▼
Maintainer
Review
│
▼
Merge to main
SDKs use protocol-specific code generation tools:
- Tool:
prost(Protocol Buffers) +tonic(gRPC) - Build: Code generation happens during
cargo buildviabuild.rs - Location: Generated code in
sdk/rust/src/generated/
- Tool:
grpcio-tools - Build: Manual generation via
python -m grpc_tools.protoc - Location: Generated code in
sdk/python/securefabric/*_pb2.py
- Tool:
ts-protoorprotoc-gen-ts - Build:
npm run codegenscript in package.json - Location: Generated code in
sdk/js/src/generated/
All codegen is automated via tools/sync-proto.sh.
- SDK bugs or feature requests
- Client library performance issues
- Documentation improvements
- Protocol specification clarifications
- Example application problems
- Build/CI issues with SDKs
- Node/server bugs or crashes
- Authentication/authorization issues
- Production outages or performance degradation
- Infrastructure or deployment questions
- Security vulnerabilities in the node
- Operational concerns
Security Issues: Always report security vulnerabilities via security@secure-fabric.io or GitHub Security Advisories.
- Fork the public repository
- Create a feature branch
- Make SDK improvements
- Add/update tests
- Update documentation
- Open a pull request
- Pass CI checks
- Get maintainer approval
- Merge to main
- Develop protocol changes in private repo
- Update node implementation
- Test thoroughly with integration tests
- Create protocol release in private repo
- Automated sync to public repo
- Update all SDKs to support new protocol
- Merge sync PR in public repo
- All code is open-source and auditable
- No production credentials or keys
- Protocol specifications are public
- Test vectors use synthetic data only
- Secret scanning enabled in CI
- Restricted access to core team
- Production credentials secured
- Infrastructure code protected
- Operational monitoring data private
- Incident response procedures confidential
- Unit Tests: Test individual SDK functions
- Conformance Tests: Validate against test vectors
- Integration Tests: Test SDK against mock servers
- Example Tests: Verify example apps work
- Unit Tests: Test node components
- Integration Tests: Full stack testing
- Load Tests: Performance and scalability
- Security Tests: Penetration testing and audits
- Protocol Releases: As needed (typically quarterly)
- SDK Releases: Following protocol updates + bug fixes
- Node Releases: Independent of public releases
- Public SDK Issues: GitHub Issues in this repository
- Private Node Issues: Contact
support@secure-fabric.io - Security Issues:
security@secure-fabric.io - General Inquiries:
contact@secure-fabric.io
- README.md - Getting started
- CONTRIBUTING.md - How to contribute
- SECURITY.md - Security policy
- quickstart.md - Quick start guide
- api.md - API reference