OBrain Sovereign Engine
Engineering

Deterministic Security & Handshake

Zero trust tunneling and bidirectional cryptographic payload verification.

Deterministic Security & Handshake

To safely transmit the highly valuable arbitrage data from the Sovereign M4 Local Engine to the Cloudflare Edge Worker, OBrain implements a strict Zero Trust cryptographic handshake.

HMAC-SHA256 Implementation

Standard API keys are susceptible to interception. Instead, the M4 engine signs every payload with a bidirectional HMAC-SHA256 signature.

Python Local Engine (Signer)

import hmac
import hashlib
import json

def sign_payload(payload: dict, secret: str) -> str:
    # CRITICAL: Strict deterministic JSON formatting
    serialized = json.dumps(payload, separators=(',', ':'), sort_keys=True)
    signature = hmac.new(
        secret.encode('utf-8'),
        serialized.encode('utf-8'),
        hashlib.sha256
    ).hexdigest()
    
    return signature

JSON Serialization Constraints

A common pitfall in cross-platform cryptography is payload serialization drift. A space character in Python could invalidate the V8 Javascript validation.

[!WARNING] We explicitly enforce sort_keys=True and separators=(',', ':') in Python to guarantee byte-for-byte symmetry with Cloudflare's JSON.stringify().

Cloudflare Edge Worker (Verifier)

The Cloudflare V8 environment strictly reconstructs the payload and verifies the hexadecimal digest:

export const verifyHmac = async (payload: any, signature: string, secret: string) => {
  const encoder = new TextEncoder();
  // Lexical sorting must match Python's deterministic output
  const serialized = JSON.stringify(payload); 
  
  const key = await crypto.subtle.importKey(
    'raw',
    encoder.encode(secret),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['verify']
  );

  // Convert hex to ArrayBuffer and verify
  const signatureBuffer = new Uint8Array(signature.match(/[\da-f]{2}/gi)!.map(h => parseInt(h, 16)));
  return await crypto.subtle.verify('HMAC', key, signatureBuffer, encoder.encode(serialized));
}

Zero Trust Tunneling

By combining Cloudflare Tunnels (cloudflared) with HMAC signatures, OBrain ensures:

  1. The local M4 engine never exposes public IPs.
  2. The Edge Worker rejects any external request missing the deterministic cryptographic signature.
  3. The Gap of Anticipation remains completely shielded from adversarial analysis and interception.

Operational Heuristics & Limits

Precise technical constraints of the OBrain v1.0 Engine

M4 Local Deployment

Guia de inicialização acelerada para a câmara de processamento local (Mac Mini).

On this page

Deterministic Security & HandshakeHMAC-SHA256 ImplementationPython Local Engine (Signer)JSON Serialization ConstraintsCloudflare Edge Worker (Verifier)Zero Trust Tunneling