Security Hardening

Network and exposure

• Keep /v1/decision internal-only (no public internet exposure)
• Restrict inbound callers to trusted gateways
• Restrict outbound egress to required SaaS endpoints only

Secrets and credentials

• Store FAIRVISOR_EDGE_TOKEN in secret manager/K8s Secret
• Rotate tokens regularly and after incidents
• Never log or commit secret values

Request trust boundaries

• Trust X-Original-* only from gateway boundary
• Do not trust client-supplied identity headers directly
• Normalize and validate forwarded headers consistently

Runtime hardening

• Pin image tags and rollout via controlled promotion
• Enable minimal privileges in container runtime
• Keep fallback known-good bundle ready for emergency rollback

Monitoring and audit

• Alert on no_bundle_loaded, SaaS disconnect, reject spikes
• Retain decision/reason telemetry for incident investigation