{
  "id": "server_baseline_hardening",
  "label": "Server Baseline Hardening Canonical",
  "phase": "phase-12",
  "category": "bootstrap_security_runtime_installation",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Server Baseline Hardening Canonical is the Phase 12 authority that defines the minimum defensive state a newly provisioned YEFF AI v1 server must reach before secure access, firewall exposure, encrypted storage, database initialization or runtime container installation can be evaluated.",
  "function": "Convert a raw provider server into a governed security floor by requiring target identity, hardening plan, approval boundary, package posture, service exposure discipline, permission baseline, evidence capture and rollback-aware validation before the server is allowed to become a YEFF AI runtime candidate.",
  "technology_requirements": [
    {
      "technology": "Server Baseline Hardening",
      "required_for": "Server Baseline Hardening Canonical is the Phase 12 authority that defines the minimum defensive state a newly provisioned YEFF AI v1 server must reach before secure access, firewall exposure, encrypted storage, database initialization or runtime container installation can be evaluated.",
      "required_by_phase": "phase-12",
      "required_by_category": "server_baseline_hardening",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until Server Baseline Hardening is implemented and validated in the future Execution & Monitoring Panel",
      "validation_command": "MISSING until server_baseline_hardening can prove scope, evidence, execution state and promotion decision",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/server_baseline_hardening.json",
      "status_source": "Documentation Hub + future Execution & Monitoring Panel",
      "blocking_if_missing": true,
      "failure_impact": "This means every downstream category depends on this baseline being binary. SSH posture, firewall exposure, encrypted storage, database initialization, container runtime, server registration and installation validation must not inherit a host that only appears reachable. MISSING means the hardening evidence does not exist. FAIL means the server contradicts the declared security floor. PASS means the minimum host posture is materially proven."
    }
  ],
  "depends_on": [],
  "used_by": [],
  "overview": {
    "summary": "Server Baseline Hardening Canonical is the Phase 12 authority that defines the minimum defensive state a newly provisioned YEFF AI v1 server must reach before secure access, firewall exposure, encrypted storage, database initialization or runtime container installation can be evaluated.",
    "function": "FUNCTION: Convert a raw provider server into a governed security floor by requiring target identity, hardening plan, approval boundary, package posture, service exposure discipline, permission baseline, evidence capture and rollback-aware validation before the server is allowed to become a YEFF AI runtime candidate.",
    "system_position": "Inside Documentation Hub, this category is the first material security gate after the provisioning request enters Phase 12. It does not install YEFF AI, does not configure the product and does not claim runtime readiness. It decides whether the host is safe enough to receive the next security and runtime gates without contaminating the project with an untrusted server baseline. Operationally, Server Baseline Hardening protects the autonomy model of YEFF AI v1. The IA may structure the hardening action, identify the server risk and prepare the controlled execution path, but the mutation must remain approval-bound, evidence-backed and recoverable. Autonomy here means the system can organize the action and request approval; it does not mean silent uncontrolled execution.",
    "failure_impact": "This means every downstream category depends on this baseline being binary. SSH posture, firewall exposure, encrypted storage, database initialization, container runtime, server registration and installation validation must not inherit a host that only appears reachable. MISSING means the hardening evidence does not exist. FAIL means the server contradicts the declared security floor. PASS means the minimum host posture is materially proven."
  },
  "failure_impact": "This means every downstream category depends on this baseline being binary. SSH posture, firewall exposure, encrypted storage, database initialization, container runtime, server registration and installation validation must not inherit a host that only appears reachable. MISSING means the hardening evidence does not exist. FAIL means the server contradicts the declared security floor. PASS means the minimum host posture is materially proven."
}
