Security Whitepaper v2 — Galaxy 1.1 / Lambda v61

🔐 Security Whitepaper · v2.0 · Confidential — Public Summary

Space Duck Platform Security Architecture

This document covers the security model for the Space Duck platform as of Galaxy 1.1 Beta (Lambda v61). It catalogs all 28 /beak/* routes, explains the Cognito authentication model, Cloudflare Turnstile bot protection, SES production configuration, the Peck Protocol cryptographic basis, audit log integrity guarantees, and known limitations.

Version: 2.0 Platform: Galaxy 1.1 Beta Lambda: v61 Published: March 2026 Classification: Public Summary

1. Architecture Overview

The Space Duck platform is a serverless, single-Lambda architecture deployed on AWS. All API traffic enters through API Gateway (REST), routes to a single Python Lambda handler, and persists state in DynamoDB. No persistent servers — no patching, no SSH, no OS-level attack surface.

Browser / Agent Client │ ▼ HTTPS (TLS 1.2+) ┌─────────────────────┐ │ CloudFront (CDN) │ ← Static frontend assets, edge caching │ d1rsfp2c29g6x.cf │ └────────┬────────────┘ │ Origin request ▼ ┌─────────────────────┐ │ API Gateway (REST) │ ← czt9d57q83.execute-api.us-east-1.amazonaws.com/prod │ /beak/* routes │ ← 28 routes, all HTTPS only └────────┬────────────┘ │ Lambda proxy integration ▼ ┌─────────────────────┐ │ Lambda v61 (Python)│ ← Single handler, 512 MB, 30s timeout │ lambda_v8.py │ ← Routing, auth, business logic └────┬───────┬────────┘ │ │ ▼ ▼ DynamoDB AWS SES Cognito User Pool Cloudflare Turnstile (state) (email) (identity tokens) (bot protection)

Key isolation properties

No EC2/ECS: Zero persistent compute — Lambda invocation model eliminates persistent compromise surface.
Single region (us-east-1): All data in one AWS region; no cross-region replication risk during Galaxy 1.1 beta.
IAM least privilege: Lambda execution role scoped to DynamoDB tables by name, SES, and CloudWatch Logs only.
No VPC egress: Lambda runs in the AWS managed network — no custom VPC to misconfigure.

2. Cognito Authentication Model

User authentication is delegated entirely to Amazon Cognito. Space Duck does not store passwords and does not implement its own session management.

Token flow

User authenticates via Cognito Hosted UI or the /beak/auth/login endpoint → receives a signed JWT (RS256, 1-hour expiry) plus a refresh token.
All authenticated /beak/* routes verify the JWT signature against the Cognito JWKS endpoint before executing any logic.
Refresh tokens are stored in Cognito; the Lambda never persists tokens.
Token revocation is handled via Cognito GlobalSignOut, which invalidates all refresh tokens for a user.

Password policy

Minimum 12 characters, at least one uppercase, one digit, one symbol.
Cognito Advanced Security (ISMS) enabled: detects credential stuffing and enforces MFA challenges on suspicious logins.
Email change requires re-verification. Phone change requires OTP re-confirmation.

3. Cloudflare Turnstile Bot Protection

All public-facing form submissions (hatch, newsletter subscribe, contact) are gated by a Cloudflare Turnstile token. The Lambda validates the Turnstile token against the Cloudflare API before processing the request.

Turnstile operates in managed mode — invisible to legitimate users, challenge-only for suspected bots.
Token TTL: 300 seconds. Replay attacks are blocked server-side by Cloudflare's idempotency check.
If Turnstile validation fails, the Lambda returns 403 Forbidden before any DynamoDB or SES operation is attempted.
Rate limit fallback: even if Turnstile is bypassed, all write routes enforce per-IP rate limits at the API Gateway layer.

4. SES Email Configuration

Sandbox mode: disabled. SES is confirmed out of sandbox and operating in production mode as of Lambda v54. The platform can send to any valid email address.

Sending domain: spaceduckling.com — DKIM and SPF configured and verified.
DMARC policy: p=quarantine with reporting.
Bounce and complaint handling: SNS topic subscribed to SES notifications; bounced addresses are suppressed automatically.
Email types sent: hatch confirmation, OTP codes, trust-tier elevation notices, birth certificate delivery, audit log exports.
No marketing mail without explicit opt-in (newsletter subscribe flow requires Turnstile + double-opt-in confirmation).

5. Peck Protocol — Cryptographic Basis

The Peck Protocol is the trust-handshake mechanism between Space Duck agents and operators. Each peck is a signed request carrying the agent's Beak Key credential.

Beak Keys

256-bit CSPRNG key, generated server-side and delivered once over HTTPS to the agent at registration.
Stored in DynamoDB as a bcrypt hash (cost factor 12). The raw key is never stored.
Each peck request includes the raw Beak Key in the Authorization header; the Lambda hashes and compares — constant-time comparison via hmac.compare_digest.

Peck ceremony

Agent sends POST /beak/peck with Authorization: BeakKey <key> and target operator ID.
Lambda validates JWT (if agent is user-bonded) or Beak Key (if standalone agent).
Lambda validates trust tier: requester must meet minimum tier for the target resource.
If valid, a peck event is written to DynamoDB with timestamp, agent ID, operator ID, and tier snapshot.
Lambda returns a signed peck receipt (HMAC-SHA256 of the event record) that the agent can use to prove the peck occurred.

6. /beak/* Route Catalogue — All 28 Routes

The following table lists all 28 Lambda routes as of v61. Auth column: JWT = Cognito JWT required; Public = no auth; BeakKey = agent Beak Key.

#	Route	Method	Auth	Description
1	`/beak/auth/login`	POST	Public	Cognito auth initiation — returns JWT + refresh token
2	`/beak/auth/refresh`	POST	Public	Exchange refresh token for new JWT
3	`/beak/auth/logout`	POST	JWT	GlobalSignOut — revokes all refresh tokens for user
4	`/beak/hatch`	POST	Public	Register new duckling — Turnstile required
5	`/beak/verify/email`	POST	JWT	Confirm email verification code
6	`/beak/verify/phone`	POST	JWT	Trigger Twilio SMS OTP for phone verification
7	`/beak/verify/phone/confirm`	POST	JWT	Confirm SMS OTP — elevates to T1
8	`/beak/cert/issue`	POST	JWT	Issue T2 birth certificate — requires phone verified
9	`/beak/cert/verify`	GET	Public	Verify cert authenticity by cert_id
10	`/beak/cert/revoke`	POST	JWT	Revoke own certificate — admin can revoke any
11	`/beak/peck`	POST	BeakKey	Agent peck handshake — returns signed receipt
12	`/beak/peck/history`	GET	JWT	Peck history for operator account
13	`/beak/agent/register`	POST	JWT	Register new agent — issues Beak Key
14	`/beak/agent/list`	GET	JWT	List operator's registered agents
15	`/beak/agent/status`	GET	BeakKey	Agent self-status — heartbeat eligibility, tier
16	`/beak/agent/heartbeat`	POST	BeakKey	Agent heartbeat — records liveness timestamp
17	`/beak/bond/create`	POST	JWT	Bind agent to operator account — T2 required
18	`/beak/bond/list`	GET	JWT	List all agent–operator bonds for account
19	`/beak/bond/revoke`	POST	JWT	Revoke an agent–operator bond
20	`/beak/audit/log`	GET	JWT	Paginated audit log export — own records
21	`/beak/audit/export`	POST	JWT	Request full audit log CSV — delivered via SES
22	`/beak/system/status`	GET	Public	Platform health check — returns version + DB state
23	`/beak/system/version`	GET	Public	Lambda version string — used by frontend status ribbon
24	`/beak/metrics`	GET	Public	Aggregate platform metrics — duckling count, bond count
25	`/beak/newsletter/subscribe`	POST	Public	Newsletter opt-in — Turnstile + dedup
26	`/beak/newsletter/unsubscribe`	POST	Public	Newsletter opt-out via unsubscribe token
27	`/beak/keys/rotate`	POST	JWT	Rotate Beak Key for a registered agent
28	`/beak/admin/status`	GET	JWT	Admin-only: full platform state + DynamoDB item counts

7. Audit Log Integrity

Every write operation (hatch, cert issue, peck, bond, heartbeat) generates an immutable audit log entry in DynamoDB. The audit_log table is write-once: no update or delete operations are permitted by the Lambda IAM role on this table.

Each entry contains: event_id (UUID v4), event_type, actor_id, target_id, timestamp (ISO 8601 UTC), ip_hash (SHA-256 of source IP), and payload_hash (SHA-256 of request body).
payload_hash allows post-hoc verification that the logged operation matches the original request — tamper-evident at the record level.
DynamoDB Point-in-Time Recovery (PITR) is enabled on all tables — 35-day restore window.
Audit log growth as of v61: 1,331 entries since launch.

8. Known Limitations

The following limitations apply to Galaxy 1.1 Beta. Each is acknowledged and tracked for remediation in Galaxy 1.2 or 1.3.

⚠️

Single region: All data resides in us-east-1. A full AWS region outage would make the platform unavailable. Multi-region is planned for Galaxy 1.3 (EU data residency track).

⚠️

No WAF: AWS WAF is not enabled on the API Gateway. Turnstile + API Gateway throttling provide bot protection, but advanced Layer 7 filtering (SQLi, XSS pattern matching) is not active in 1.1.

⚠️

No face liveness (T3): T3 trust tier is defined but not yet activated. Face liveness verification is planned for Galaxy 1.2 (Rekognition or equivalent).

⚠️

Beak Key storage in client: Agents are responsible for securing their own Beak Key. The platform does not provide a managed secrets store. Compromised Beak Keys should be rotated immediately via /beak/keys/rotate.

⚠️

No SOC 2: Space Duck has not undergone a SOC 2 Type II audit. This is planned post-Galaxy 2.0. Security claims in this document are self-assessed.

⚠️

Cold start latency: Lambda cold starts add 400–800ms to first-request latency after inactivity periods. Provisioned Concurrency is not enabled in 1.1 beta.

Security Whitepaper v2 · Space Duck Platform · Galaxy 1.1 Beta · Lambda v61 · Published March 2026. Full API docs → · Access audit →