// Architecture

QHx, in pieces.

001 · Problem

Systems cannot reason about trust at runtime.

Distributed systems span operators, networks, and trust boundaries that no single component sees end to end. Trust has to be decided at the moment of exchange, against evidence.

Most systems collapse that decision into network position, long-lived credentials, or implicit trust between intermediaries. The result is a system that cannot reason about trust when it matters.

002 · Model shift

From assumption to verification.

BEFORE

Trust: assumed from origin

Identity: static and reused

Authority: implicit in the path

Evidence: after the fact

AFTER

Trust: verified per exchange

Identity: issued at runtime

Authority: attested and named

Evidence: in the path

003 · System components

Five components. One coordinate system.

01

Workload identity

SPIFFE-aligned identity issued continuously from node and workload attestation. Bound to the running process, not the host.

02

Attestation

Two-phase evidence. The node attests first; workload identity is issued only as a child of an attested node.

03

Policy

Authorization on identity, namespace, label, and runtime context. Realized as admission decisions and proxy configuration.

04

Communication

Mutually authenticated tunnels between attested workloads. Application traffic carried unmodified.

05

Provenance

Signed receipts of request, response, and identity. Verifiable after the issuing credential expires.

004 · Execution flow

What happens before the request is trusted.

01Identity established

The node attests. The workload identity is issued as a child of the attested node.

02Posture verified

Evidence is checked against policy before issuance proceeds.

03Policy evaluated

Authorization decisions operate on identity, namespace, label, and context.

04Communication secured

A mutually authenticated tunnel is established between attested peers.

05Action recorded

Optional notarized receipt of request, response, and identity.

005 · Security model

How trust is established. What is verified, what is assumed.

Trust comes from evidence: node platform measurements, workload selectors, and credentials issued by a controlled authority. Each exchange depends on what can be checked at that moment.

  • Verified at runtimeNode platform posture, workload identity and selectors, peer identity at handshake, and policy compliance at admission.
  • Assumed by dependencyHost kernel integrity, custody of root keys, datastore integrity, and operator discipline around the controls QHx does not own.

The full threat model, mitigations, and residual risks are documented on the security page.

006 · What this enables

Once the model holds.

  • Workload-bound communication that survives credential rotation.
  • Policy that operates on identity rather than network position.
  • Federation across distinct authorities and trust domains.
  • Cryptographic agility, including post-quantum migration without application changes.
  • Durable provenance verifiable offline, after the credential expires.