{
  "canon_meta": {
    "canon_id": "devon-host-security-canonical",
    "version": "2.0.0",
    "status": "PLANNED",
    "domain": "host_security",
    "master_authority": "master_architecture_index.md",
    "preserve_original_content": true,
    "canonical_layer_key": "trust_layer",
    "phase_origin": [
      "phase-08"
    ],
    "installation_order": 15,
    "primary_stage": "foundations_security"
  },
  "objective": "Define the canonical host hardening baseline for Devon.",
  "scope": [
    "ssh_policy",
    "firewall_policy",
    "sudo_policy",
    "patch_baseline",
    "filesystem_permissions",
    "audit_logging"
  ],
  "evidence_model": [
    "host_access_mode",
    "ssh_key_only_access",
    "ufw_or_equivalent_policy",
    "privilege_boundary",
    "patch_policy",
    "audit_log_sink"
  ],
  "approval_gate": [
    "baseline_defined",
    "controls_reviewed",
    "host_policy_approved"
  ],
  "governance_reference": {
    "master_authority": "master_architecture_index.md",
    "primary_axis": "canonical_layer",
    "secondary_axis": "deployment_order",
    "preserve_phase_registry": true,
    "preserve_original_content": true
  },
  "canonical_layer_key": "trust_layer",
  "phase_origin": [
    "phase-08"
  ],
  "installation_order": 15,
  "primary_stage": "foundations_security",
  "security_governance_extensions": {
    "canonical_position": {
      "canonical_layer_key": "trust_layer",
      "phase_origin": [
        "phase-08"
      ],
      "installation_order": 15
    },
    "security_stage_group": "foundations_security"
  },
  "status": "ACTIVE",
  "runtime_evidence_sources": [
    "host_runtime.json:host_snapshot.security.ufw",
    "host_runtime.json:host_snapshot.security.fail2ban",
    "host_runtime.json:host_snapshot.security.ssh_hardening"
  ],
  "observed_controls": [
    "ufw_active",
    "ssh_rule_present",
    "fail2ban_sshd_enabled",
    "ssh_root_key_only",
    "ssh_password_auth_disabled",
    "ssh_x11_forwarding_disabled",
    "ssh_tcp_forwarding_disabled"
  ]
}
