Local-first processing
Scan, policy evaluation, and evidence storage default to the macOS endpoint.
Architecture-level security and privacy controls for enterprise review. Extends the Trust Center with threat model, cryptography, access control, and known limitations. Pilot-ready — not Enterprise GA.
Scan, policy evaluation, and evidence storage default to the macOS endpoint.
Provider, storage type, and fingerprint — never raw API keys or tokens.
localRawEvidence never uploads; sharedOrgEvidence is signed and allowlisted.
Missing data is explicit — no silent pass or implicit fallback.
Hash-chain journal with encrypted journal payloads; Ed25519 signed exports. Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.
Keychain and sensitive sources require machine-verifiable approval.
Two-tier model: macOS endpoint (Tier 1) and org governance plane (Tier 2). Policy evaluation stays on the endpoint. Automated upload path carries sharedOrgEvidence only — signed, allowlisted, tenant-scoped. localRawEvidence (SQLite, full reports, journal bodies) never transits the upload API.
MDM delivers install and org-policy overlay in parallel — BeProof does not replace MDM, EDR, or SIEM.
| Threat | Primary mitigation |
|---|---|
| Secret exfiltration via cloud | Metadata-only upstream; ingestion denylist rejects raw secrets and DB paths |
| Forged fleet summary | Ed25519 signature verified against enrolled device key registry |
| Tampered local evidence | Append-only hash chain — verify-journal detects seq and hash breaks |
| Cross-tenant admin access | tenantId scope + RBAC on API and UI; integration tests deny cross-tenant reads |
| Tampered release artifact | Signed, notarized DMG + verify-install + published SBOM/provenance |
| Keychain scan without approval | Consent ledger (POL-G02) in addition to TCC/PPPC where applicable |
| Domain | Algorithm | Scope | Key material |
|---|---|---|---|
| Journal at rest | AES-256-GCM (aes-256-gcm-v1) | evidence_journal.payload_json | Keychain per database path |
| Export / fleet signing | Ed25519 (ed25519-v1) | Export manifests and FleetSummaryPayload | Keychain export-signing |
| Transport | TLS 1.2+ | Endpoint API, admin UI, cloud connectors | Platform / HTTPS |
| Cloud SQL | GCP platform encryption | Tenant governance metadata | Google-managed (pilot) |
Journal payloads are encrypted; inventory tables are metadata-only but not encrypted in the current release.
Four non-interchangeable commands. GRC recipients without the Mac use verify-export-manifest. Auditors on the scanning endpoint add verify-journal.
| Command | Proves | Local DB |
|---|---|---|
beproof verify-journal | Hash chain, seq continuity, journal encryption status | Yes |
beproof verify-export | Signature + manifest + journal linkage | Yes (linkage) |
beproof verify-export-manifest | Artifact SHA256, manifest hash, Ed25519 signature | No |
beproof verify-install | App signature, notarization, provenance/SBOM | No |
Firebase email/password (pilot). Roles: org_admin, security_analyst, fleet_admin, auditor_readonly. SAML/OIDC enterprise IdP — post-GA.
One-time admin-issued tokens. Device JWT at enroll, bound to tenant. Personal mode cannot fleet-enroll.
Overall control status: Partial — public pipeline is shipped; enterprise release controls remain on the Enterprise GA roadmap.
Fleet-wide verify-install attestation in control plane, tenant-private or air-gapped artifact mirror, org-enforced minimum release version policy, and automated MDM promotion workflow — manual MDM runbooks today.
Security review should explicitly accept these residual risks: