Trust & security

Security is architecture, not a slide. Here is how we describe Bastion's controls at a high level, what we do not claim, and how to report issues responsibly.

Rethunk.Tech builds Bastion and Rethunk.AI for organizations that need an evidence path from operator intent to edge behavior - not a black box that happens to log sometimes. This page summarizes how we talk about those controls publicly; it is not a substitute for your own risk assessment or contract terms.

Security themes (high level)

Chain of command on the wire: Bastion does not command theatres directly; edge hosts mediate through the gRPC control plane and TheatreManager COCOM, as shown on the Platform page.
PKI / mTLS: Bastion-managed CA and manager enrollment patterns are part of the edge integration story; operator runbooks and evidence packs are shared under engagement.
Attributable intent: optional directive signing, hash-chained master-intent audit sidecar, and related SATCOM telemetry - described in technical materials provided to prospects and partners, not as anonymous public repo dumps.
IRONLAW policy gate: file-backed policy on ingest, reconcile, and replay with readiness signals when policy refuses - not a claim of full automated legal omniscience.
Edge terrain bounds: structural workspace policy on the edge (L1) for theatre deployments; additional kernel-grade isolation is out of scope unless explicitly designed with you.

What we do not claim

IRONLAW is doctrine and machine-readable policy artifacts first - not a hosted enforcement service you outsource compliance to. Bastion integrates IRONLAW as an ordered gate on key paths; extending evaluation depth to every action class is engineering work we track with partners, not something we oversell on a marketing checklist. IRONLAW does not replace your legal team or your chain of command.

Reporting security issues

IRONLAW doctrine and schemas: email [email protected] with subject line "Security - IRONLAW" and we will route to the right maintainer.

Bastion application and edge behavior: contact [email protected] for coordinated disclosure. We will respond with the correct channel for your finding (implementation teams keep sources private by design).

Explore the governance doctrine

IRONLAW defines seven autonomy rules that every Bastion-governed agent must satisfy.

IRONLAW overview →

Ready to discuss your security posture?

We work with compliance, risk, and engineering teams in regulated environments.

Talk security & compliance

Was this page helpful?

Security themes (high level)

Chain of command on the wire: Bastion does not command theatres directly; edge hosts mediate through the gRPC control plane and TheatreManager COCOM, as shown on the Platform page.

PKI / mTLS: Bastion-managed CA and manager enrollment patterns are part of the edge integration story; operator runbooks and evidence packs are shared under engagement.

Attributable intent: optional directive signing, hash-chained master-intent audit sidecar, and related SATCOM telemetry - described in technical materials provided to prospects and partners, not as anonymous public repo dumps.

IRONLAW policy gate: file-backed policy on ingest, reconcile, and replay with readiness signals when policy refuses - not a claim of full automated legal omniscience.

Edge terrain bounds: structural workspace policy on the edge (L1) for theatre deployments; additional kernel-grade isolation is out of scope unless explicitly designed with you.

What we do not claim

Reporting security issues

IRONLAW doctrine and schemas: email [email protected] with subject line "Security - IRONLAW" and we will route to the right maintainer.