Skip to main content
DEPLOYMENT

Deployment requirements.

Operational requirements for deploying AGA cryptographic runtime governance. AGA provides the governance mechanism. The deployer provides the infrastructure isolation and key management that makes it trustworthy.

NETWORK

Network Isolation.

The MCP governance proxy is effective only when it is the sole path between the agent and external resources. AGA does not provide network isolation. AGA provides the mechanism to specify, verify, and prove that isolation was in place.

Kubernetes

NetworkPolicy restricting agent pod egress to gateway IP/port only. Admission webhook configured to reject pods that launch without a valid sealed policy.

Standalone

iptables/nftables rules restricting agent process network access to gateway listener. seccomp profile blocking raw socket creation. AppArmor profile confining filesystem access.

Air-Gapped

Physical network isolation. gateway is the only device with external connectivity. Evidence bundles transferred via removable media for offline verification.

KEY MANAGEMENT

Signing Key Requirements.

LevelKey StorageRotationSuitability
MinimumFile-based PEM (chmod 0600)Manual via aga rotateDevelopment, testing
RecommendedHSM (FIPS 140-3 Level 3) or TPM 2.0Every 24h or 1,000 receiptsProduction, enterprise
Maximumk-of-n threshold across distributed HSMsAutomated, policy-drivenDefense, critical infrastructure

The ML-DSA-65 + Ed25519 hybrid composite (NIST FIPS 204) is implemented and cross-verified today, and Ed25519 is the live default signature. HSM-backed key custody remains on the roadmap.

CADENCE

Measurement Cadence.

Deployment TypeCadenceTOCTOU WindowRationale
SCADA / ICS100ms100msPLC firmware integrity, actuator state
Autonomous Drone150-250ms150-250msKill-chain governance, ROE compliance
AI Agent (MCP)Per tool call0msSynchronous decision, zero TOCTOU
Container / K8s500ms-5s500ms-5sImage hash, runtime config, mount integrity
RETENTION

Evidence Retention.

Evidence bundles are self-contained and offline-verifiable. Retention periods depend on the applicable compliance framework.

FrameworkMinimum Retention
SOX Section 8027 years
HIPAA Security Rule6 years
EU AI Act (Art. 12)Duration of AI system lifecycle
NIST SP 800-53 (AU-11)Per organizational policy