IPC-HMAC — Inter-Pillar Authentication (SI-003)
Cryptographic message authentication for all inter-pillar HTTP calls inside the ABS Core Octagon. Implements SI-003: no plaintext keys cross process boundaries.
IPC-HMAC — Inter-Pillar Cryptographic Authentication
What Problem This Solves
The ABS Core Octagon is a distributed system. CORTEX calls CHI. The Gateway calls LEDGER. QUORUM receives approval requests from the pipeline. In a naive implementation, any process that can reach an internal port can inject requests — even if the pillar is not exposed to the internet.
IPC-HMAC (Inter-Process Communication HMAC) ensures that every HTTP request crossing a pillar boundary is cryptographically authenticated and replay-protected, regardless of network topology.
This directly implements System Invariant SI-003: "No plaintext keys in memory; cryptographic isolation via IPC-HMAC."
Protocol
Request signature
Every inter-pillar request must carry two headers:
| Header | Value |
|---|---|
X-ABS-IPC-HMAC | HMAC-SHA256(secret, METHOD:path:timestamp_ms:SHA256(body)) |
X-ABS-IPC-Timestamp | Unix milliseconds as a string |
HMAC payload construction
payload = METHOD + ":" + path + ":" + timestamp_ms + ":" + hex(SHA256(body))
signature = HMAC-SHA256(ABS_IPC_HMAC_SECRET, payload)Example:
POST /vaccinate 1716000000000 body={"text":"hello"}
payload = "POST:/vaccinate:1716000000000:2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9820"
signature = HMAC-SHA256(secret, payload) = "a3f1..."Replay protection
Requests with a timestamp older than ABS_IPC_REPLAY_WINDOW_MS (default: 60 000ms) are rejected with HTTP 401. This prevents an attacker who captured a valid request from replaying it.
Fail-Closed (SI-004)
When ABS_IPC_HMAC_SECRET is configured and a request arrives without valid headers, the receiving pillar rejects it with HTTP 401 — never silently allows it.
Environment Variables
| Variable | Required | Default | Description |
|---|---|---|---|
ABS_IPC_HMAC_SECRET | Production | — | Shared secret across all pillars. Must be identical on every pillar. Use 32+ bytes of entropy. |
ABS_IPC_REPLAY_WINDOW_MS | No | 60000 | Replay protection window in milliseconds. |
If ABS_IPC_HMAC_SECRET is not set, IPC-HMAC is disabled and a warning is logged. This is only acceptable in development. Set CORTEX_ENV=production / QUORUM_ENV=production to enforce authentication at startup.
Integration Points
Python (CORTEX → CHI)
from cortex_engine.ipc_hmac import sign_request
body = json.dumps({"text": text, "vaccines": ["pii"]}).encode()
headers = sign_request("POST", "/vaccinate", body)
# headers = {"X-ABS-IPC-HMAC": "...", "X-ABS-IPC-Timestamp": "..."}
async with httpx.AsyncClient() as client:
resp = await client.post(url, content=body, headers={
"X-CHI-API-Key": os.getenv("CHI_API_KEY"),
**headers,
})TypeScript (Gateway → LEDGER / QUORUM)
import { signRequest } from '@abs-core/ipc-hmac';
const body = JSON.stringify(event);
const ipcHeaders = signRequest('POST', '/record', body);
await fetch(`${ledgerUrl}/record`, {
method: 'POST',
headers: { 'Content-Type': 'application/json', ...ipcHeaders },
body,
});Hono middleware (LEDGER, QUORUM)
import { ipcHmacMiddleware } from '@abs-core/ipc-hmac';
// Apply to write endpoints only
app.use('/record', ipcHmacMiddleware());
app.use('/create', ipcHmacMiddleware());FastAPI dependency (CHI)
from cortex_engine.ipc_hmac import verify_fastapi_request
@app.post("/vaccinate")
async def vaccinate(request: Request, _ipc: None = Depends(verify_ipc_hmac)):
...Covered Boundaries
| Sender | Receiver | Signed Endpoints |
|---|---|---|
| CORTEX | CHI | POST /vaccinate, POST /evaluate |
| CORTEX Sensory | CHI | POST /vaccinate (inbox ingestion) |
| Gateway Pipeline | LEDGER | POST /record, POST /verify, POST /batch |
| Gateway Pipeline | QUORUM | POST /create, POST /submit |
Security Properties
| Property | Implementation |
|---|---|
| Message integrity | HMAC covers method, path, timestamp, and SHA-256 of body — any tampering invalidates the signature |
| Replay protection | 60-second timestamp window |
| Timing-safe comparison | hmac.compare_digest() (Python), crypto.timingSafeEqual() (TypeScript) — no early exit on mismatch |
| Fail-Closed | Missing or invalid signature → HTTP 401, request rejected (SI-004) |
| Development-friendly | Disabled when ABS_IPC_HMAC_SECRET is unset — zero friction in local dev |
Key Generation
Generate a cryptographically secure shared secret:
# Linux / macOS
openssl rand -hex 32
# Or via Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
# Or via Python
python3 -c "import secrets; print(secrets.token_hex(32))"Set the same value on all pillars:
# Cloudflare Workers (CORTEX, LEDGER, QUORUM)
wrangler secret put ABS_IPC_HMAC_SECRET
# On-prem / local (.env)
ABS_IPC_HMAC_SECRET=<value>Key Management & HSM Integration
Cryptographic key lifecycle (KMS), Hardware Security Modules (HSM) integration, and rotation strategies.
Security Hardening v4.3.3
Complete list of security fixes applied in v4.3.3: cryptographic hardening, Fail-Closed enforcement, constant-time comparisons, and authentication coverage across all pillars.