{
  "id": "firewall_network_exposure",
  "label": "Firewall & Network Exposure Canonical",
  "phase": "phase-12",
  "category": "bootstrap_security_runtime_installation",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Firewall & Network Exposure Canonical is the Phase 12 authority that decides what the YEFF AI v1 server is allowed to expose to networks after governed access exists.",
  "function": "Convert live port behavior into a narrow exposure contract with allowed services, denied services, source scope, persistence, scanner evidence and blocker rules before storage, database or runtime work can proceed safely.",
  "technology_requirements": [
    {
      "technology": "Firewall & Network Exposure",
      "required_for": "Firewall & Network Exposure Canonical is the Phase 12 authority that decides what the YEFF AI v1 server is allowed to expose to networks after governed access exists.",
      "required_by_phase": "phase-12",
      "required_by_category": "firewall_network_exposure",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until Firewall & Network Exposure is implemented and validated in the future Execution & Monitoring Panel",
      "validation_command": "MISSING until firewall_network_exposure can prove scope, evidence, execution state and promotion decision",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/firewall_network_exposure.json",
      "status_source": "Documentation Hub + future Execution & Monitoring Panel",
      "blocking_if_missing": true,
      "failure_impact": "If this gate fails, YEFF AI v1 can be built on a host that looks ready from inside the shell but is already presenting unnecessary attack surface to the outside world."
    }
  ],
  "depends_on": [],
  "used_by": [],
  "overview": {
    "summary": "Firewall & Network Exposure Canonical is the Phase 12 authority that decides what the YEFF AI v1 server is allowed to expose to networks after governed access exists.",
    "function": "FUNCTION: Convert live port behavior into a narrow exposure contract with allowed services, denied services, source scope, persistence, scanner evidence and blocker rules before storage, database or runtime work can proceed safely.",
    "system_position": "This category owns network surface, not SSH custody and not application deployment. Its job is to keep the server reachable only in the ways the installation path can justify right now. The exclusive failure it prevents is premature exposure. A server can be hardened and accessible while still being unsafe because database ports, runtime ports or provider defaults are open too early.",
    "failure_impact": "If this gate fails, YEFF AI v1 can be built on a host that looks ready from inside the shell but is already presenting unnecessary attack surface to the outside world."
  },
  "failure_impact": "If this gate fails, YEFF AI v1 can be built on a host that looks ready from inside the shell but is already presenting unnecessary attack surface to the outside world."
}
