Security Policy

Security requirements for Anthesis.

This policy establishes security requirements, responsibilities, and expectations for production Anthesis data and systems.

Policy status
  1. Version: 1.0
  2. Effective: 2026-01-18
  3. Status: Active requirements baseline
  4. Classification: Public
  5. Owner: Security Team

Scope

This policy applies across Anthesis services, environments, and integrations.

Services

Phloem, Xylem, CLI, plugins, and related tooling.

Environments

Development, staging, and production environments.

People

All personnel with access to Anthesis systems.

Third parties

External integrations and dependencies are admitted explicitly.

Security principles

Anthesis is designed around governance, traceability, and safe failure.

Human sovereignty

Humans retain final authority over security decisions.

Defense in depth

Multiple layers of safeguards across the stack.

Least privilege

Access is minimized for users, services, and agents.

Traceability

Security-relevant events are logged immutably.

Security by design

Threat modeling and security gates are part of the SDLC.

Fail securely

Default to safe states when uncertainty exists.

Risk routing

Autonomy is conditional. Authority increases with consequence. Risk classification is evaluated before execution and recorded with the outcome.

Risk routing diagram showing low risk policy grants, medium risk review queues, high risk explicit approvals, and denied safe halts

Core requirements

Baseline controls required across Anthesis systems.

Authentication

Production API access must be authenticated.

Authorization

Requests are authorized via policy controls.

Input validation

Inputs are validated and sanitized.

Secrets management

No secrets in Git or logs; rotation required.

Data protection

Production systems must protect sensitive data at rest and in transit.

Monitoring

Production security events must be detected and alerted.

Secure SDLC

Security testing and reviews are mandatory.

Incident response

Follow the incident response playbook for all events.

Third-party risk

External tools are admitted and scoped explicitly.

Roles and responsibilities

Clear ownership ensures accountability across security activities.

Security team

Owns policy, leads incident response, audits compliance.

Engineering

Implements controls and follows secure coding guidance.

DevOps

Maintains secure infrastructure and monitoring.

Management

Approves policy changes and resources.

Compliance and review

Reviewed annually or after P0/P1 incidents.

Alignment

Security work should align with CSSLP practices, OWASP Top 10, and applicable controls.

Review cadence

Annual review or post-incident update.

Report a security issue

We welcome responsible disclosure from security researchers.

Contact

Email: anthesis.security@micrantha.com

Security.txt

See /.well-known/security.txt for disclosure details.