This repository implements the Secure Runtime layer of the ThreadForge platform.
ThreadForge is an identity-first runtime architecture for securely executing distributed services and AI agents using workload identity and policy-driven communication boundaries.
Platform architecture reference: https://github.com/computeaholic/threadforge-reference-architecture
Identity-Gated Durable Runtime (Minimal Stack)
The Secure Runtime layer provides an authenticated service runtime where workloads communicate using verified workload identity.
This layer assumes the presence of a SPIFFE/SPIRE identity plane and enforces identity-aware service communication, forming the runtime trust layer used by higher-level containment policies.
- SPIFFE/SPIRE-based identity-gated API runtime
- Durable authority ledger backed by PostgreSQL
- Prometheus metrics exposure
- Minimal Kubernetes deployment via Kustomize
- Digest-enforced image policy compatibility
This repository does NOT include:
- Vector databases
- ClickHouse or analytics pipelines
- Grafana, Loki, Tempo, or tracing stacks
- AI/ML model logic
- Containment/redteam harness
- Cluster provisioning logic
- Helm charts
- Development/demo tooling
- Kubernetes 1.26+
- ValidatingAdmissionPolicy enabled
- SPIRE-based identity plane present (or installed via substrate)
- PostgreSQL PVC available (provided by this repo)
- Cluster-admin permissions for installation
make install
make validateIntended Use
This repository demonstrates a minimal production-grade runtime secured by workload identity and backed by a durable authority ledger.
It represents the Secure Runtime layer of the ThreadForge architecture and is intended as:
a consulting-grade reference for identity-gated service architecture
a composable runtime layer deployed on top of the ThreadForge Fabric and Identity Surface layers