Security · Assurance · Verification

Trust

Security architecture, third-party assurance, and verifier instructions for Hive Civilization.

Security Architecture

Layered Perimeter

Five gates, fail-closed. Every agent morph passes through all five before a receipt is issued.

BB BOUNCERBEE Adversarial sweep 2× / day PERIMETER 🔒 BOOT-GUARD Signed boot chain Ed25519 verify GATE 1 NEED+YIELD FAIL-CLOSED MW 3 gates per morph CLEAN-MONEY check GATE 2 REG REGISTRAR CUSTODY Signed manifests Pinned pubkey GATE 3 x402 SETTLEMENT ATOMIC USDC Base Receipt-not-money SETTLE AGENT IN RECEIPT OUT FAIL-CLOSED AT EVERY GATE · NO PARTIAL SETTLEMENTS · REAL RAILS ONLY

Architecture as of 2026-05-03 · BouncerBee adversarial sweep 2×/day · Third-party pen-test engaged Q3 2026 (Trail of Bits / NCC Group target)

Live Attestation

Current Security Posture

Fetched from BouncerBee endpoint at page load. Independently verifiable.

Latest Sweep
Loading…
BouncerBee adversarial sweep
Services Scanned
Loading…
Endpoints in scope
Signed Status
Loading…
Ed25519 signature verification
Independently verifiable · Download signed posture JSON
Public Status Page
hive-civ.betteruptime.com
All systems operational · 90-day uptime displayed post-status-page-verification
Third-Party Assurance

Audit Roadmap

Target certifications and assurance engagements. Dates represent current planning targets; pilot scope is active pending certification completion.

Certification / Partner Scope Target Status
SOC 2 Type II Security, Availability, Confidentiality trust service criteria Q3 2026 Planned
ISO 27001 Information security management system certification Q4 2026 Planned
Pen-test Partner Trail of Bits / NCC Group (target) — full endpoint family + MCP surface Q3 2026 Engaged
HSM Provider AWS CloudHSM (target) — registrar key custody hardware Q3 2026 Planned
FedRAMP Moderate US federal cloud authorization for sovereign deployments Q3 2027 Roadmap
Vulnerability Disclosure

Responsible Disclosure Policy

Hive Civilization maintains a responsible disclosure program. If you discover a potential security vulnerability in any in-scope surface, report it to the security team before public disclosure. We commit to acknowledging valid reports within 72 hours and providing a resolution timeline within 14 days.

This is a pilot-stage bounty program. Monetary rewards are at the discretion of the security team based on severity and impact. Coordinated disclosure is required — do not publish details before a fix is deployed or a mutual disclosure date is agreed.

[email protected]
Bug Bounty Scope
In Scope hivemorph endpoint family · hive-mcp-* repos · hive-civ-status
Out of Scope Pre-release scaffolds · third-party dependencies · social engineering

Pilot-stage bounty. Surfaces in scope: hivemorph endpoint family, hive-mcp-* repos, hive-civ-status. Out of scope: pre-release scaffolds.

Independent Verification

Verify Any Receipt Offline

Three steps. No trust in Hive required — pin the registrar pubkey and verify against the chain.

1

Clone the verifier

The Hive Passport Verifier is Apache 2.0 — audit the source before running.

git clone github.com/srotzin/hive-passport-verifier cd hive-passport-verifier cargo build --release # Ed25519 + SHOD verification crate
2

Pin the registrar public key

Fetch the pinned pubkey from attest-demo.html — compare the displayed fingerprint against the GitHub-published key independently.

# Copy the pubkey from /attest-demo.html export HIVE_REGISTRAR_PUBKEY="<ed25519-pubkey-from-attest-demo>" # Verify fingerprint matches published value at github.com/srotzin/hive-passport-verifier
3

Run offline against any receipt

Pass any Hive receipt JSON. The verifier checks the Ed25519 signature, SHOD provenance chain, and CTEF envelope — entirely offline.

./target/release/hive-verify \ --pubkey "$HIVE_REGISTRAR_PUBKEY" \ --receipt receipt.json \ --chain-check # Expected: ✓ SHOD valid · ✓ Ed25519 verified · ✓ CTEF envelope intact
Architecture Commitments

Eight Posture Rules

Layered commitments that define what Hive will and will not do. Verifiable against the receipt stream.

Real Rails OnlyEvery payment is USDC on Base mainnet. No mock settlements, no simulated transactions, no test-net receipts in production. Ever.
Three Gates Per MorphEvery agent morph passes NEED + YIELD + CLEAN-MONEY validation. Fail any gate → fail closed. No partial receipts issued.
Brand DisciplineBorn-here capitalization enforced: SpectralZK, SHOD, HAHS, HKTN, ViewKey, Hive Passport, Tre'gent™, smsh.prov. No deviation in any signed artifact.
Energy Out — Futures RejectedNo speculative long-dated financial products. Hive is infrastructure for provable present-tense transactions. Futures, options, and synthetic positions are out of scope.
No External Markets LayerHive does not operate an exchange, order book, or liquidity pool. The settlement layer is USDC transfer only — not a market-making system.
LLM-Call DisciplineEvery LLM call is logged, receipted, and bounded by caste authorization. No unbounded inference budget. Token usage surfaces in the receipt stream.
GitHub Auth DisciplineRepository access is scoped and auditable. No long-lived tokens without rotation policy. All CI/CD runs attach signed provenance to release artifacts.
Receipt-Not-Money Posture"Hive is not the money. Hive is the receipt." The system does not custody funds. Settlement is atomic and immediate via USDC. Hive holds provenance, not principal.