Skip to main content

Blankstate INFOSEC Overview

This document is written for assurance review and avoids disclosing proprietary implementation details beyond public evidence of controls.

Updated over 4 months ago

Executive summary

  • All client–server communications are encrypted in transit over TLS (HTTPS/WSS).

  • Access to the IBF API is enforced via Bearer tokens with timing‑safe validation and secure session cookies for protected documentation.

  • The Atlas/Blueprint web interface authenticates users via a managed identity provider; sensitive tokens are supplied in Authorization headers for server calls.

  • The Replay desktop app is built with Rust and ships with a minimal permission surface (no filesystem, shell, or OS APIs enabled) and uses managed authentication; default mode favors on‑device inference with quantized ONNX models.

  • Cross‑origin access to the IBF API is allow‑listed for production domains; preflight handling is enforced.

  • Logging, audit events, and standardized error responses support operational monitoring without exposing secrets.

  • Secrets and environment configuration are injected out‑of‑band and not hard‑coded into server binaries.

Scope and applicability

  • Atlas/Blueprint Interface (Next.js web): goal and blueprint definition, analysis visualization, operational controls

  • IBF API (FastAPI): protocol and metric management, analysis (batch/real‑time), ZSL/GAN orchestration, client API

  • Replay (Rust desktop): local replay/analysis with on‑device ONNX inference, optional policy‑gated cloud analysis

  • Environments: Development, Staging, Production, Sandbox (partner evaluation)

Environment and segmentations

  • Production: External users and enterprise integrations; strict CORS allowlist; tokens per organization.

  • Sandbox: Evaluation environment with non‑production data; defaults to local inference; cloud analysis policy‑gated.

  • Development/Staging: Internal use with restricted access; broader CORS for testing; feature flags enabled.

System architecture and trust boundaries

The platform comprises three cooperating components:

  • Blueprint Atlas (Next.js UI) used by licensed users to define and evaluate Blueprints and view Atlas analysis results.

  • IBF API (FastAPI) providing protocol/metric management, analysis, and streaming endpoints, including ZSL/GAN orchestration.

  • Replay desktop (Rust + Tauri) for local analysis/replay workflows, licensed per user, connecting to the same IBF API.

Key trust boundaries:

  • Client boundary: Browser and Tauri WebView. No trusted code executes outside signed application bundles and vetted CDNs for auth.

  • Edge/API boundary: All client calls terminate on HTTPS endpoints; documentation endpoints are disabled by default and gated.

  • Data boundary: Analysis payloads and results in Sandbox are non‑production data by policy. Server‑side configuration and tokens are injected via environment.

Authentication and authorisation

  • Blueprint Atlas (web): Uses a managed identity provider to establish the user session in the browser; when calling protected server APIs, a Bearer token is included via Authorization header.

  • Replay (desktop): Uses managed authentication from a trusted CDN module; no passwords handled by our servers.

  • IBF API (server): Accepts only Bearer tokens for protected endpoints; validates tokens with timing‑safe comparison and denies access with standard 401/403.

Evidence excerpts:

async def validate_token(
    auth: Optional[HTTPAuthorizationCredentials] = Security(reusable_bearer)
) -> str:
    settings = get_settings()
    valid_tokens = settings.VALID_API_TOKENS
    if not valid_tokens:
        raise HTTPException(status_code=500, detail="Server configuration error: No API tokens loaded.")
    if auth is None or not auth.credentials:
        raise HTTPException(status_code=401, detail="Not authenticated", headers={"WWW-Authenticate": "Bearer"})
    is_valid = any(secrets.compare_digest(auth.credentials, valid_token) for valid_token in valid_tokens)
    if not is_valid:
        raise HTTPException(status_code=403, detail="Invalid authentication credentials", headers={"WWW-Authenticate": "Bearer"})
    return auth.credentials
response.set_cookie(
    key="ibf_session_token",
    value=token,
    httponly=True,
    secure=is_secure,
    samesite="lax",
    max_age=86400

Auth flow overview

Network and transport security

  • TLS enforced for all external endpoints (HTTPS/WSS). HSTS enabled at the edge. WebSocket URLs are derived from HTTPS bases to enforce wss.

  • Evidence (WebSocket scheme enforcement):

  • CORS configured with an allowlist for trusted production origins on the IBF API; preflight handling is enabled.

Application security (server)

  • Documentation endpoints are disabled by default and re‑enabled only behind authentication.

  • Standardized error responses avoid leaking internals; sensitive values are not logged.

  • Session cookies for documentation access are httpOnly, Secure over HTTPS, and SameSite=Lax.

  • Health endpoint exposes only status, not configuration.

app = FastAPI(
  title="Intention Blended Framework (IBF) API Service",
  docs_url=None,
  redoc_url=None,
  openapi_url=None
)

Application security (clients)

Blueprint Atlas (web)

  • Uses a managed identity provider for user authentication; session changes tracked via SDK.

  • When calling protected APIs, the app passes Bearer tokens in Authorization headers over TLS.

  • No server secrets are embedded in the frontend bundle; environment values used client‑side are scoped and revocable.

Replay (desktop, Rust)

  • Minimal Tauri allowlist: no filesystem, shell, or OS API permissions are enabled by default.

  • Exposes only a minimal set of commands; no direct local file ingestion is permitted without user action.

  • Automatic updater is disabled in Sandbox.

On‑device inference (default Sandbox mode):

  • Replay supports running analysis locally using an optimized ONNX model with quantization to reduce footprint and avoid remote inference dependencies.

  • In this mode, raw content remains on device; only user‑visible results are rendered locally, and no raw payloads are transmitted to servers.

Evidence of ONNX/Tokenizer local inference path (present but redacted of proprietary details):

pub fn analyze_text(text: &str) -> Result<HashMap<String, f32>, String> {
    // ...
    let environment = Environment::builder()
        .with_name("inference_environment")
        .build()?;
    let mut session = environment
        .new_session_builder()?
        .with_model_from_file("models/ibf-model.onnx")?;
    let tokenizer = Tokenizer::from_file("models/tokenizer.json")?;
    // ... inference ...
}

Quantization principle:

  • We use integer/fixed‑point quantization for ONNX model artifacts in Replay builds to reduce compute and memory and to enable secure, offline execution. This further reduces the need to connect to remote inference services for standard use cases.

"allowlist": {
  "all": false
}

Security note: Content Security Policy (CSP) is supported by Tauri and can be set for production packaging; we ship Sandbox builds without enabling remote dangerous APIs and with vetted remote origins (auth CDN). No privileged Tauri APIs are allowed.

Data protection and privacy

  • Data classification: Sandbox use is restricted to non‑production and non‑personal data. Inputs are analyzed transiently; persistent storage is minimized.

  • Encryption in transit: All client–server communications are protected via TLS. WebSocket connections use wss://.

  • Encryption at rest: Managed providers’ default encryption is used for any stored artifacts; the server does not persist sensitive credentials.

  • Token handling: API tokens are provided by administrators, validated server‑side, and never logged in full. Session cookies are httpOnly and secure.

Transit encryption and data minimization for inference

  • When Replay operates in on‑device mode, inference is performed locally and no analysis inputs leave the device.

  • When the application calls the IBF service (e.g., for specialized ZSL/GAN orchestration or organization‑policy cloud evaluation), all traffic is over TLS and requests are authenticated.

  • Our design principle is data minimization: where feasible, the system transmits derived features or the minimum necessary text segments required to fulfill the requested analysis, never credentials or unrelated context.

  • In Sandbox, organizations can configure policies to prefer local inference and restrict network analysis to non‑sensitive test content only.

@router.post("/auth/verify", include_in_schema=False)
async def verify_token(request: Request):
    """
    Verify token and set secure session cookie.
    """

Data handling note: For Atlas web workflows that require server‑side analysis, requests contain only the content necessary for the requested measurement and are transmitted under TLS with token‑based authorization; results are returned without storing raw content beyond transient processing.

Secrets and configuration management

  • Server secrets (allowed API tokens, datastore URLs) are injected via environment and accessed through a centralized configuration layer.

  • Client builds do not contain server secrets. Organization API keys used by clients are revocable and scoped; requests are authenticated over TLS.

@lru_cache()
def get_settings() -> Settings:
  settings = Settings()
  _ = settings.VALID_API_TOKENS
  return settings

Logging, monitoring, and abuse prevention

  • Structured logging with configurable levels captures auth outcomes and errors without sensitive payloads.

  • Standard 401/403 responses facilitate monitoring.

  • Rate limiting and usage controls are applied to client‑facing endpoints to protect availability in Sandbox; health endpoints provide liveness only.

Secure SDLC and dependency hygiene

  • Modern, maintained frameworks (FastAPI, Next.js, Tauri, Yew). Dependencies are pinned and updated regularly.

  • Code review and static analysis are part of change control. Threat modeling is applied to new capabilities.

  • Build artifacts are reproducible; environment configuration is separated from code.

Control framework mapping (excerpt)

  • ASVS V2 (Authentication): Implemented via managed identity provider (clients) and Bearer token validation (server).

  • ASVS V3 (Session Management): Secure cookies for documentation; short‑lived tokens for API.

  • ASVS V7 (Error Handling): Generic, consistent errors; no stack traces to users.

  • ASVS V12 (HTTP Security): TLS enforced; CORS allowlist in production; HSTS at edge.

  • ASVS V14 (Config): Secrets via environment; no hard‑coded server secrets.

  • ASVS V9 (Data Protection): Encryption in transit; minimal Sandbox storage.

Data flow (detailed)

Policy: Sandbox deployments default to Path A (local), with Path B enabled only where organizational policy requires server‑side orchestration for specific analyses.

Residual risks and mitigations

  • Client tokens must be protected at the endpoint: mitigated by TLS, revocable/scoped tokens, and managed identity.

  • Desktop app webview CSP: configured for production builds; no privileged Tauri APIs enabled.

  • Sandbox data misuse: mitigated by Sandbox policy (no production data), audit logging, and least‑privilege access.

Appendix: Selected evidence

The snippets above are extracted from the public code in this Sandbox repository to demonstrate control presence without exposing proprietary logic.

Did this answer your question?