[{"data":1,"prerenderedAt":443},["ShallowReactive",2],{"navigation":3,"\u002Fsecurity\u002Fcompliance":89,"\u002Fsecurity\u002Fcompliance-surround":438},[4,40,63,76],{"title":5,"path":6,"stem":7,"children":8,"icon":39},"Getting Started","\u002Fgetting-started","1.getting-started\u002F1.index",[9,11,15,19,23,27,31,35],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Quick Start: Service Provider","\u002Fgetting-started\u002Fquickstart-sp","1.getting-started\u002F2.quickstart-sp",{"title":16,"path":17,"stem":18},"Quick Start: Identity Provider","\u002Fgetting-started\u002Fquickstart-idp","1.getting-started\u002F3.quickstart-idp",{"title":20,"path":21,"stem":22},"Quick Start: Agent","\u002Fgetting-started\u002Fquickstart-agent","1.getting-started\u002F4.quickstart-agent",{"title":24,"path":25,"stem":26},"Quick Start","\u002Fgetting-started\u002Finstallation","1.getting-started\u002F5.installation",{"title":28,"path":29,"stem":30},"How It Works","\u002Fgetting-started\u002Fhow-it-works","1.getting-started\u002F6.how-it-works",{"title":32,"path":33,"stem":34},"For Service Providers","\u002Fgetting-started\u002Ffor-service-providers","1.getting-started\u002F7.for-service-providers",{"title":36,"path":37,"stem":38},"CLI (apes & ape-shell)","\u002Fgetting-started\u002Fcli","1.getting-started\u002F8.cli",false,{"title":41,"path":42,"stem":43,"children":44,"icon":39},"Ecosystem","\u002Fecosystem","2.ecosystem\u002F1.index",[45,47,51,55,59],{"title":46,"path":42,"stem":43},"Overview",{"title":48,"path":49,"stem":50},"OpenApe Auth","\u002Fecosystem\u002Fauth","2.ecosystem\u002F2.auth",{"title":52,"path":53,"stem":54},"OpenApe Grants","\u002Fecosystem\u002Fgrants","2.ecosystem\u002F3.grants",{"title":56,"path":57,"stem":58},"nuxt-auth-sp","\u002Fecosystem\u002Fnuxt-auth-sp","2.ecosystem\u002F4.nuxt-auth-sp",{"title":60,"path":61,"stem":62},"escapes","\u002Fecosystem\u002Fescapes","2.ecosystem\u002F5.escapes",{"title":64,"icon":39,"path":65,"stem":66,"children":67,"page":39},"Security","\u002Fsecurity","3.security",[68,72],{"title":69,"path":70,"stem":71},"Compliance","\u002Fsecurity\u002Fcompliance","3.security\u002F1.compliance",{"title":73,"path":74,"stem":75},"Threat Model","\u002Fsecurity\u002Fthreat-model","3.security\u002F2.threat-model",{"title":77,"icon":39,"path":78,"stem":79,"children":80,"page":39},"Guides","\u002Fguides","4.guides",[81,85],{"title":82,"path":83,"stem":84},"Capabilities & Grants","\u002Fguides\u002Fcapabilities","4.guides\u002F1.capabilities",{"title":86,"path":87,"stem":88},"Delegation","\u002Fguides\u002Fdelegation","4.guides\u002F2.delegation",{"id":90,"title":69,"body":91,"description":431,"extension":432,"links":433,"meta":434,"navigation":435,"path":70,"seo":436,"stem":71,"__hash__":437},"docs\u002F3.security\u002F1.compliance.md",{"type":92,"value":93,"toc":420},"minimark",[94,98,102,107,115,131,135,173,177,180,255,259,262,267,292,298,302,305,365,372,376,379],[95,96,69],"h1",{"id":97},"compliance",[99,100,101],"p",{},"OpenApe is regulation-ready by design. One architecture satisfies both sides of the Atlantic.",[103,104,106],"h2",{"id":105},"eu-nis2-directive-20222555","EU: NIS2 (Directive 2022\u002F2555)",[99,108,109,110,114],{},"NIS2 requires ",[111,112,113],"strong",{},"strong authentication"," for critical systems. OpenApe delivers this without opt-in:",[116,117,118,125,128],"ul",{},[119,120,121,124],"li",{},[111,122,123],{},"Passkeys"," fulfill the strong authentication requirement (possession + biometrics\u002FPIN)",[119,126,127],{},"No extra MFA step — it's built into the login flow",[119,129,130],{},"Agent authentication via Ed25519 challenge-response meets M2M standards for critical infrastructure",[103,132,134],{"id":133},"usa-nist-csf-20-executive-order-14028","USA: NIST CSF 2.0 & Executive Order 14028",[116,136,137,143,149,155],{},[119,138,139,142],{},[111,140,141],{},"NIST Cybersecurity Framework 2.0"," — Passkeys + asymmetric auth satisfy Identity & Access Management controls",[119,144,145,148],{},[111,146,147],{},"Executive Order 14028"," — requires MFA and Zero Trust for federal agencies and their suppliers",[119,150,151,154],{},[111,152,153],{},"SEC Cyber Rules"," (2023) — incident reporting aided by clean audit trails (human\u002Fagent separation)",[119,156,157,160,161,165,166,165,169,172],{},[111,158,159],{},"CMMC 2.0"," — tiered security levels naturally mapped by the grant system (",[162,163,164],"code",{},"once","\u002F",[162,167,168],{},"timed",[162,170,171],{},"always",")",[103,174,176],{"id":175},"why-passkeys-only","Why Passkeys-Only?",[99,178,179],{},"Passwords are explicitly prohibited in the DDISA spec. Here's what this eliminates:",[181,182,183,199],"table",{},[184,185,186],"thead",{},[187,188,189,193,196],"tr",{},[190,191,192],"th",{},"Attack Vector",[190,194,195],{},"With Passwords",[190,197,198],{},"With Passkeys",[200,201,202,214,225,235,246],"tbody",{},[187,203,204,208,211],{},[205,206,207],"td",{},"Phishing redirect",[205,209,210],{},"⚠️ Main risk",[205,212,213],{},"✅ Eliminated (origin-bound)",[187,215,216,219,222],{},[205,217,218],{},"Credential theft",[205,220,221],{},"⚠️ Possible",[205,223,224],{},"✅ Eliminated (nothing to steal)",[187,226,227,230,232],{},[205,228,229],{},"Man-in-the-Middle",[205,231,221],{},[205,233,234],{},"✅ Eliminated (challenge-response)",[187,236,237,240,243],{},[205,238,239],{},"Credential stuffing",[205,241,242],{},"⚠️ Common",[205,244,245],{},"✅ Eliminated (no passwords)",[187,247,248,251,253],{},[205,249,250],{},"Brute force",[205,252,221],{},[205,254,245],{},[103,256,258],{"id":257},"compromised-sp-analysis","Compromised SP Analysis",[99,260,261],{},"What can a compromised Service Provider actually do?",[99,263,264],{},[111,265,266],{},"With Passkeys (current):",[116,268,269,272,275,282,289],{},[119,270,271],{},"✅ Cannot steal credentials (phishing-proof)",[119,273,274],{},"✅ Cannot impersonate users at the IdP",[119,276,277,278,281],{},"✅ Cannot use assertions for other SPs (",[162,279,280],{},"aud"," binding)",[119,283,284,285,288],{},"⚠️ Can see claims (email, ",[162,286,287],{},"act",") of users who log in — accepted, unclosable surface",[119,290,291],{},"⚠️ Can hijack sessions on its own service",[99,293,294,297],{},[111,295,296],{},"A compromised SP becomes a passive observer, not an active attacker."," This is a fundamental security improvement over password-based systems.",[103,299,301],{"id":300},"agent-authentication-nis2","Agent Authentication & NIS2",[99,303,304],{},"Agents authenticate via Ed25519 challenge-response, not passwords or passkeys:",[181,306,307,319],{},[184,308,309],{},[187,310,311,313,316],{},[190,312],{},[190,314,315],{},"Human (Passkey)",[190,317,318],{},"Agent (Ed25519)",[200,320,321,332,343,354],{},[187,322,323,326,329],{},[205,324,325],{},"Factor 1",[205,327,328],{},"Possession (device)",[205,330,331],{},"Possession (private key)",[187,333,334,337,340],{},[205,335,336],{},"Factor 2",[205,338,339],{},"Biometrics\u002FPIN",[205,341,342],{},"N\u002FA — agents don't have fingers",[187,344,345,348,351],{},[205,346,347],{},"Phishing risk",[205,349,350],{},"Eliminated (origin-bound)",[205,352,353],{},"N\u002FA (no browser)",[187,355,356,359,362],{},[205,357,358],{},"Replay protection",[205,360,361],{},"WebAuthn challenge",[205,363,364],{},"One-time challenge",[99,366,367,368,371],{},"NIS2 requires strong auth for ",[111,369,370],{},"humans",". For M2M, asymmetric challenge-response is the gold standard.",[103,373,375],{"id":374},"audit-trail","Audit Trail",[99,377,378],{},"Every action is traceable:",[116,380,381,398,414],{},[119,382,383,386,387,390,391,393,394,397],{},[111,384,385],{},"AuthN-JWT"," — ",[162,388,389],{},"sub"," (who), ",[162,392,287],{}," (human\u002Fagent), ",[162,395,396],{},"iss"," (which IdP)",[119,399,400,386,403,406,407,410,411],{},[111,401,402],{},"AuthZ-JWT",[162,404,405],{},"decided_by"," (who approved), ",[162,408,409],{},"permissions",", ",[162,412,413],{},"cmd_hash",[119,415,416,419],{},[111,417,418],{},"escapes audit log"," — JSONL with command, grant ID, timestamp, result",{"title":421,"searchDepth":422,"depth":423,"links":424},"",1,2,[425,426,427,428,429,430],{"id":105,"depth":423,"text":106},{"id":133,"depth":423,"text":134},{"id":175,"depth":423,"text":176},{"id":257,"depth":423,"text":258},{"id":300,"depth":423,"text":301},{"id":374,"depth":423,"text":375},"NIS2, NIST CSF 2.0, and regulatory compliance.","md",null,{},true,{"title":69,"description":431},"yvkIwASAQGUJxxkkE0sxneyJpPmdz2YsFgbSJfPiwo0",[439,441],{"title":60,"path":61,"stem":62,"description":440,"children":-1},"Privilege escalation with grant verification.",{"title":73,"path":74,"stem":75,"description":442,"children":-1},"Security analysis and design decisions.",1776885316420]