🔒 TUCE v28.11 — Secret Enclave / High-Trust Control Tower
Attestation-gated leases • Dual control • Break-glass • Broker + TTQI ticket minting
v28.11
checking...
Trust Rails
Reference-only by default
Step-up MFA
Dual control
Attestation required
Driving-safe deny
JIT lease ≤180s
Ticket Types
TAC broker execution ticket
TTQI private-vault connector ticket
Break-glass emergency ticket (15 min TTL)
Secret rotation plan
Live Status
Secret Broker
Enclave Attestation
JIT Lease Manager
Dual Control Gate
Break-Glass (armed)
Operations
Operation
Evaluate Secret Release
Mint Broker Execution Ticket
Mint Broker Ticket (Full)
Mint TTQI Connector Ticket
Get Rotation Plan
Break-Glass Request
Secret Class
broker_api_key
wallet_signing_key_ref
ttqi_connector_cred
oidc_client_secret
webhook_hmac_secret
tailscale_auth_key
stt_api_key
tts_api_key
Subject / User
Operation Class
reference_only
live_execution
rotation
destroy
break_glass_read
break_glass_write
Device Trust Level (0-100)
Mode
desktop
mobile
driving_safe
admin
research
Reason (required)
Emergency: execution bridge down, manual restart required
Requested Scope
read_only
read_write
full_admin
Approver 1
Approver 2
▶ Execute
↺ Re-Evaluate
Result
{}
Issued Ticket
ID:
—
Type:
—
TTL:
—
Trust:
—
Signature (partial):
—
Release Path
Voice/Text request
→ TUCE identity + device trust
→ Governance policy check
→ Secret broker evaluation
→ Enclave attestation
→ JIT lease / capability ticket
→ TAC or TTQI downstream
→ Audit + observability
Recommended Defaults
Never inject plaintext secrets into prompts or browser state.
Use reference-only tickets for TAC and TTQI by default.
Require attestation for live execution ticket minting.
Use dual control for rotation, destroy, break-glass write.
Expire live execution leases in ≤180 seconds.
Bundle forensic export for every break-glass event.
High-Trust Objects
Broker API keys, refresh tokens, account scopes
Wallet signing key references / key shares
TTQI connector creds for private-vault jobs
OIDC / webhook / STT / TTS / tailscale secrets
Quantum-safe config (QKD/PQC/QRNG) where enabled