Security Model
The RickyData platform runs on AMD SEV-SNP Confidential VMs with 10 defense-in-depth layers. Every security claim is independently verifiable — you never need to trust the gateway itself.
Live verification: rickydata.org/security — interactive page that calls real gateway endpoints and shows raw proof payloads.
Defense-in-depth layers
| Layer | Technology | What it protects |
|---|---|---|
| 1. Hardware | AMD SEV-SNP | Memory encryption — hypervisor cannot read VM RAM |
| 2. Code identity | SHA-256 hash pinning | Proves exactly which code version is running |
| 3. Build provenance | Signed CI/CD metadata | Links deployed image to specific GitHub commit |
| 4. Secrets | vTPM PCR-bound keys | Platform secrets sealed to hardware |
| 5. Wallet isolation | AES-256-GCM + HKDF | Each user's secrets encrypted with wallet-derived keys |
| 6. Authentication | Wallet tokens + ES256 | Cryptographic proof of wallet ownership |
| 7. Sandbox | Rust sandboxd + Docker + gVisor | MCP servers run in isolated per-session containers |
| 8. Payments | x402 conditional settlement | Charge only on success, EIP-712 signed |
| 9. Output protection | Secret redaction | Secrets never appear in logs or responses |
| 10. Release guard | Attestation-gated | Secrets blocked if attestation is degraded |
Trust chain layers
Both gateways run inside AMD SEV-SNP Confidential VMs on Google Cloud:
- All VM memory is encrypted — the cloud hypervisor cannot read it
- Memory tampering is detected by the CPU
- Attestation reports are signed by a key burned into the AMD chip at the factory
# Verify AMD attestation
curl -s https://mcp.rickydata.org/api/attestation/report > report.json
curl -s https://kdsintf.amd.com/vlek/v1/Milan/cert_chain -o amd_chain.pem
jq -r '.certificates.vcek' report.json > vcek.pem
openssl verify -CAfile amd_chain.pem vcek.pem
# Expected: vcek.pem: OK
Trust chain visualization
AMD Factory (Root of Trust)
|
v
VCEK Certificate (burned into CPU chip)
|
v
AMD SEV-SNP Attestation Report
| (signs REPORT_DATA containing code hash + JWKS key hash)
v
Gateway Code Hash (SHA-256 over dist/**/*.js)
| - matches PUBLISHED_CODE_HASH from CI/CD
| - embedded in every execution proof
v
Build Provenance (GitHub Actions + attestation bundle)
v
Rust Trust Plane (sandboxd + trust-plane helper hashes)
| - sandbox lifecycle, secret-release posture, proof canonicalization
v
vTPM PCR-Bound Secrets (sha256:0,1,2,3,4,5,7)
| handle 0x81000099, only this TEE can unseal
v
Per-Wallet Encrypted Vault (AES-256-GCM + HKDF)
v
Execution Proof Signatures (Ed25519 / HMAC-SHA256)
v
Verified Tool Call Result
Quick verification commands
# Full TEE status
curl -s https://mcp.rickydata.org/api/attestation | jq '{teeEnabled, platform}'
# Agent Gateway security posture
curl -s https://agents.rickydata.org/health | jq '.securityPosture'
# Cross-gateway trust
curl -s https://mcp.rickydata.org/health | jq '.crossGatewayTrust'
# Build provenance + trust-plane helper hashes
curl -s https://mcp.rickydata.org/api/attestation/provenance | \
jq '{source, image, securityKernel, trustPlane}'
# Offline verification
curl -s https://mcp.rickydata.org/api/attestation/bundle | \
jq -r '.offlineVerification.script' > verify.sh && bash verify.sh
Next steps
- Architecture Overview — system topology
- MCP Gateway — gateway internals
- Agent Gateway — agent runtime