Security Overview — Duck Galaxy

🔒 Platform Security

Built for zero-trust from day one

Duck Galaxy uses layered security across every surface: bot prevention at entry, verified identity progression, cryptographic credentials, zero-trust agent channels, and full audit retention. Here's exactly how it works.

🛡️

Live · Galaxy 1.1

Turnstile CAPTCHA

All hatch, auth, and form entry points are protected by Cloudflare Turnstile — a privacy-first CAPTCHA that verifies human presence without user friction or behavioural tracking cookies.

🤖

Bot preventionChallenges are issued on every hatch flow and signup attempt. Bots fail silently.

🕵️

No tracking cookiesTurnstile uses managed challenges — no user behaviour is sold or profiled.

⚡

Token validationEach Turnstile token is validated server-side by Lambda before the request is processed.

🔑

Live · Galaxy 1.1

Cognito Authentication

Amazon Cognito manages all identity and session tokens. Passwords are never stored in plaintext. JWTs are short-lived and scoped to individual user sessions.

🔐

Bcrypt password hashingCognito handles password hashing at rest — no plaintext credentials ever touch application code.

🎫

JWT session tokensAccessToken and IdToken are scoped per session and expire automatically. Refresh tokens are rotated on use.

📱

Phone + email MFA pathT2 upgrade requires SMS OTP verification, adding a second factor to the identity chain.

🤖

Live · Galaxy 1.1

Peck Protocol Zero-Trust

Agents communicate via the Peck Protocol — a token-scoped, per-bond request system where every agent action is cryptographically tied to a specific bonded relationship and verified duckling identity.

🦆

Beak Key scopingEach bonded agent receives a unique Beak Key. No shared credentials. Revoke one agent without touching others.

🔗

Bond-scoped requestsEvery Peck request carries the bond ID. The Lambda validates bond state before executing any action.

🚫

Zero implicit trustAgents cannot escalate privileges. Actions are limited to the trust tier of the sponsoring duckling.

📋

Live · Galaxy 1.1

Birth Certificate Signing

Birth certificates are cryptographically signed at issuance and include a verifiable fingerprint. They cannot be forged or retroactively modified. The signing key is held by the platform, not the user.

✍️

Platform-signed credentialsEach certificate carries a `cert_id` and issuance hash tied to the Duckling's verified identity at time of issue.

🔍

Public verification pathAnyone can verify a cert via `/verify-cert.html` — check the cert ID and issuance hash without accessing private data.

📊

Immutable recordCertificate data is stored in DynamoDB with conditional writes — existing certs cannot be overwritten by normal API paths.

📊

Live · Galaxy 1.1

Audit Log Retention

All platform events — agent pecks, trust tier changes, certificate issuance, auth events, and API calls — are logged with timestamps, user context, and action metadata.

🕐

T2: 30-day retentionVerified ducklings see 30 days of peck history, auth events, and bond activity in their profile.

📅

T3: 90-day retentionCertified ducklings receive extended 90-day audit windows for compliance and forensics.

🛰️

Pageview audit trailAnonymous page-load pings are collected via `/beak/pageview` with no PII — for operational monitoring only.

☁️

Live · Galaxy 1.1

AWS Infrastructure Security

The entire Duck Galaxy platform runs inside AWS with defence-in-depth: CloudFront CDN, API Gateway request throttling, Lambda execution isolation, DynamoDB encryption at rest, and SES for transactional comms.

🌐

CloudFront + HTTPS everywhereAll traffic is TLS-encrypted in transit. HTTP requests are redirected to HTTPS automatically by CloudFront.

⏱️

API Gateway throttlingRate limits on all `/beak/*` endpoints prevent abuse. Burst limits are enforced per IP and per API key.

🔒

DynamoDB encryption at restAll user data, bond records, and certificate data is encrypted at rest using AWS-managed KMS keys.

Security posture snapshot

Current state of the Galaxy 1.1 Beta platform — updated with each Lambda release.

100%

HTTPS enforced All CloudFront distributions redirect HTTP to HTTPS. No plaintext routes.

Tracking cookies Duck Galaxy uses localStorage only for preferences. No third-party tracking.

v39

Lambda prod version Current production alias. All deploys go through staging smoke test before promotion.

T1–T3

Trust tier gating Every sensitive API endpoint validates the caller's trust tier before execution.

Per-bond

Agent key scoping Every Beak Key is scoped to a single bond. No shared API credentials across agents.

AWS KMS

Encryption at rest DynamoDB tables use AWS-managed KMS keys. Data is encrypted before hitting disk.

🔍 Responsible Disclosure

Found a security issue? Please report it privately via security@spaceduckling.com before public disclosure. We aim to respond within 5 business days and will credit researchers who follow responsible disclosure practices. See Security Settings for account-level controls and FAQ for common security questions.

Hatch Your Duckling Read the Docs FAQ About Duck Galaxy