SECURITY HELIX BOABIXER V13 · Zone Identity · ATZA Zones

SECURITY HELIX BOABIXER V13 · ATZA ZONES · GID-SEC REGISTRY

EACH GATE IS A ZONE
ZONE SOLVENCY IS GATE PASSING UNDER LOAD

6 GATES · 6 ATZA ZONES · GID-SEC-001..006 · SOSTLE L0/L2/L3

γ₁ = 14.134725141734693 · Zone solvency threshold: WPA 84.8% (γ₁×6) · Day 97

ZONE SOLVENCY THEOREM

Zone Z is SOLVENT iff Gate(Z) passes under γ₁×6 load (84.8% WPA = BREAK threshold)

Zone Z is INSOLVENT iff Gate(Z) fails at or before 84.8% WPA — gate cannot defend the fleet under real load

Zone Z is WATCH iff Gate(Z) passes at nominal load but degrades above 60% WPA — solvent with margin concern

Boabixer role: confirm zone solvency across all 6 gates. One insolvent zone = security helix broken. Gate stack not sovereign.

6 ATZA SECURITY ZONES — GID REGISTRY

Z1 · ATZA · IMAGE SCANNING

TRIVY ZONE

Gate 1 · Trivy Operator

GID-SEC-001

SOSTLE: L2 (local silo)
Solvency: passes at γ₁×6 load
Scope: image CVE scan + SBOM generation
KCF: EB-8
Boundary: registry to admission

● LIVE · eose-dev Day 97

Z2 · ATZA · ADMISSION CONTROL

GATEKEEPER ZONE

Gate 2 · OPA Gatekeeper

GID-SEC-002

SOSTLE: L2 (local silo)
Solvency: <10ms webhook; passes at γ₁×6
Scope: pod spec validation, constraint enforcement
KCF: EA-64..73
Boundary: API server admission

● LIVE · 2/2 Running

Z3 · ATZA · RUNTIME MONITORING

FALCO ZONE

Gate 3 · Falco eBPF

GID-SEC-003

SOSTLE: L2 (local silo)
Solvency: <1ms; eBPF overhead minimal
Scope: syscall monitoring, anomaly detection
KCF: EA-75..80
Boundary: kernel → container runtime

● LIVE · eBPF Running

Z4 · ATZA · POLICY ENFORCEMENT

KYVERNO ZONE

Gate 4 · Kyverno

GID-SEC-004

SOSTLE: L3 (cloud admission)
Solvency: <15ms; 4/4 replicas HA
Scope: policy-as-YAML, image verify, generate
KCF: EA-65, EA-69
Boundary: admission + runtime policy

● LIVE · 4/4 Running

Z5 · ATZA · SOVEREIGN POLICY

MEROSTONE ZONE

Gate 5 · MEROSTONE KCF 82

GID-SEC-005

SOSTLE: L3 (cloud admission)
Solvency: γ₁-anchored; 82 KCF defined
Scope: sovereign KCF enforcement, LOCO scoring
KCF: ALL 82
Boundary: admission → sovereign floor

◐ READY · constraints pending

Z6 · ATZA · QE FLOOR

MECIPOL ZONE

Gate 6 · MECIPOL D1-D10

GID-SEC-006

SOSTLE: L0 (QE floor — cannot be bypassed)
Solvency: D1-D10 defined; eose-dev is QE surface
Scope: 10 sovereign domains, final verdict
KCF: D1-D10
Boundary: everything → SOVEREIGN_FLEET

● LIVE · D1-D10

SOSTLE WALL ASSIGNMENTS

ZONE	GID	GATE	SOSTLE WALL	RATIONALE	STATUS
Z1 TRIVY	GID-SEC-001	G1	L2 — Local Silo	Image scanning is local to each silo's admission path	LIVE
Z2 GATEKEEPER	GID-SEC-002	G2	L2 — Local Silo	Admission webhook is cluster-local	LIVE
Z3 FALCO	GID-SEC-003	G3	L2 — Local Silo	Runtime monitoring is node-local (eBPF)	LIVE
Z4 KYVERNO	GID-SEC-004	G4	L3 — Cloud Admission	Policy enforcement spans silo + cloud boundary	LIVE
Z5 MEROSTONE	GID-SEC-005	G5	L3 — Cloud Admission	Sovereign KCF spans all silos, enforced at cloud	READY
Z6 MECIPOL	GID-SEC-006	G6	L0 — QE Floor	Cannot be bypassed. Floor level. Always on.	LIVE

ZONE LIFECYCLE

DEPLOY

→

CONFIGURE

→

TEST LOAD

→

CHAOS PROOF

→

SOLVENCY CHECK

→

PROMOTE TO AKS

Current position: Z1-Z4 at step 3 (test load). Z5 MEROSTONE at step 2 (configure — constraints pending). Z6 MECIPOL at step 5 (solvency confirmed).