OpenFirma docs highlights for LLM-based retrieval:

- Transport security for Authority <-> Sidecar gRPC is documented in docs/security/transport.md.
- Sidecar should use https:// authority_url with authority.ca_cert_path for CA verification.
- Sidecar PSK authentication is configured with [sidecar.authority.credentials] in firma.toml or [authority.credentials] in a sidecar-only TOML.
- Authority credentials require workspace_id, sidecar_id, and exactly one of pre_shared_key_env or pre_shared_key_path.
- When Sidecar credentials are absent, OpenFirma sends no credentials and remains compatible with the local Mini Authority.
- V1.1 mTLS uses authority.tls_client_cert_path + authority.tls_client_key_path on Sidecar and mtls_client_ca_cert_path + authorized_clients_path on Authority.
- Authority allow-list file supports [[authorized]] entries with cn/san identity fields; unknown client identities are rejected at TLS handshake.
- V1.1 revocation model for mTLS clients is allow-list driven (`authorized_clients` updates) plus cert rotation/expiry; CRL/OCSP revocation checks are not performed by the TLS verifier in this release.
- `firma run --authority local` is a loopback dev-mode convenience path (`http://`) and is not an mTLS transport-hardening path.
- Plain http:// authority_url is only allowed by default for loopback hosts; remote plaintext requires explicit authority.allow_insecure_remote_authority = true.
- TLS mismatch on Authority stream keeps sidecar fail-closed (no policy bundle readiness).
- On WSL hosts, implicit `firma run` backend selection uses `wsl2` compatibility mode instead of Linux `bwrap`.
- Non-structural (proxy-only) backends (macOS `vz`, WSL2 `wsl2`) fail closed by default; pass `--allow-non-structural` or set `run.allow_non_structural = true` in firma.toml to opt into proxy-only compatibility mode.
- Linux `bwrap` provides the current default structural confinement path. `firecracker` is planned. Default `vz` and `wsl2` are proxy-based compatibility paths that can be bypassed by non-cooperative clients.
- macOS strategy: prioritize VZ guest-based structural parity first; treat Endpoint Security Framework (ESF) as selected host hardening/audit, not as standalone sidecar-only egress or DNS confinement.
- Experimental macOS structural mode: set FIRMA_RUN_VZ_STRUCTURAL_NETWORK=1 on macOS vz backend for sandbox-exec network-deny mode; wrapped process may only reach loopback, so other host loopback services remain a caveat; network_confinement=macos_sandbox_network_deny; experimental until macOS E2E assertions pass on hardware.
- VZ guest-backed macOS structural parity is planned as a follow-up. The current branch does not expose an executable VZ guest launch contract path.
- EnforcementProof.network_confinement distinguishes linux_network_namespace (bwrap), macos_sandbox_network_deny (sandbox-exec structural), kvm_micro_vm (planned), proxy_only (current vz/wsl2 defaults).
- Capability token non-exposure applies when capabilities are pre-seeded into the Sidecar; current `firma run --capability-file` exports capability material into the wrapped process environment for compatibility.
- Runtime logs for non-structural backends use "backend compatibility proof" with `mode=proxy_only enforced=false` instead of "backend network enforcement proof".
- `firma config` reads existing target `firma.toml` values as defaults; CLI flags override only supplied fields.
- Sidecar-internal ABORT is distinct from DENY: DENY rejects request shape/token/scope/policy before execution; ABORT blocks an already-allowed in-flight call and leaves the capability token active.
- V1 ABORT reason codes are `CONNECTOR_TIMEOUT`, `CONNECTOR_FAILURE`, `CONNECTOR_INVALID_REQUEST`, and `CREDENTIAL_INJECTION_FAILED`; HTTP-facing interceptors return 504 with `{"aborted": true, "reason": "...", "detail": "..."}`.
