What is the 7-gate validator bootstrap?

The 7-gate bootstrap is a sequential startup sequence that every JIL validator must complete before joining the network: (1) handshake with JILHQ, (2) config bundle download, (3) image digest verification, (4) key generation/import, (5) auth token issuance, (6) service startup, (7) health verification. Failure at any gate halts the process.

Why does validator startup need 7 gates?

Each gate verifies a different security property: identity (handshake), configuration integrity (config), software authenticity (digest), cryptographic readiness (keys), authorization (auth token), operational status (services), and system health (verification). This ensures no validator can join the network with compromised software or configuration.

What happens if a validator fails a gate?

The bootstrap process halts immediately at the failing gate. The validator cannot proceed to subsequent gates or join the consensus network. JILHQ logs the failure and alerts operators for investigation. This prevents compromised or misconfigured nodes from participating.

How are validator images verified?

Image digest verification (Gate 3) compares the SHA-256 digest of each Docker image against the digest signed and pinned in JILHQ's registry. Any mismatch indicates tampering and blocks the validator from starting.

Multi-Gate Validator Bootstrap

Executive Summary

JIL Sovereign implements a 7-gate ordered bootstrap protocol for validator nodes. The critical innovation is that code integrity verification (image digest matching) is a mandatory prerequisite before identity verification can begin. Combined with 24-hour consensus authorization tokens forcing daily re-verification.

Core Innovation: First validator bootstrap protocol that mandates code integrity verification before identity verification, preventing supply-chain attacks where tampered software authenticates and joins consensus.

Problem Statement

Existing validator bootstrap protocols (Kubernetes node join, AWS SSM, Tendermint) verify identity before verifying code integrity. This allows a node running tampered software to authenticate successfully and participate in consensus with compromised code.

Kubernetes: Identity first (service account token), no image verification gate
Docker Content Trust: Independent of node authentication, not sequenced
AWS SSM: IAM role verification, no code integrity gate
Tendermint: Staking transaction, no pre-auth verification

7-Gate Bootstrap Sequence

Gate	Name	Purpose	Failure Action
1	Handshake	TLS connection to fleet controller	Retry with backoff
2	Registration	Node identity claim	Halt bootstrap
3	Image Digest	SHA-256 verification of 17+ container images against pinned manifest	Halt bootstrap
4	Identity	5-key-type challenge-response (ed25519, HMAC, API key, SSH, HSM)	Halt bootstrap
5	Authorization	24-hour consensus token issued	Halt bootstrap
6	Configuration	HMAC-signed config bundle pull and validation	Halt bootstrap
7	Service Start	All services initialized, health checks pass	Halt bootstrap

Key Sequencing: Gate 3 (code integrity) MUST pass before Gate 4 (identity verification) can begin. A node with tampered images cannot even attempt authentication.

Image Digest Verification

Gate 3 computes SHA-256 digests for each of 17+ container images running on the validator and compares each against a centrally pinned manifest maintained in the hq_image_digests table on the fleet controller. Any single mismatch halts the bootstrap.

// Digest verification pseudocode
for each container_image in node.images:
    local_digest = sha256(container_image)
    pinned_digest = hq.get_pinned_digest(container_image.name)
    if local_digest != pinned_digest:
        HALT("Image digest mismatch: possible tampering")
        return BOOTSTRAP_FAILED

24-Hour Consensus Tokens

Upon successful completion of Gates 3 and 4, a time-limited consensus authorization token is issued with a maximum 24-hour validity period. This forces daily re-execution of the integrity and identity verification sequence, ensuring that any node compromise is detected within 24 hours.

Property	Value
Token type	JWT with HMAC-SHA256
Validity	24 hours maximum
Renewal	Full re-bootstrap required
Scope	Consensus participation only

Patent Claim

Independent Claim 3: A computer-implemented method for bootstrapping a validator node in a distributed network, the method comprising an ordered sequence of gates wherein: a code integrity verification gate comparing local container image digests against a centrally pinned manifest is executed as a mandatory prerequisite before an identity verification gate using multi-key-type challenge-response authentication; and a time-limited consensus authorization token with a maximum 24-hour validity period is issued upon successful completion of both gates, requiring daily re-execution of the integrity and identity verification sequence.

Overview

How It Works

Beneficiary Identity

Policy Corridors

Deterministic Finality

Architecture

Security Model

Governance

Integration

Corridors Overview

Institutional Overview

Pricing

All Scenarios

Humanitarian Impact Fund

Technical Assurance

Verify Receipt

Receipt Example

Documentation

APIs & Bridges

Architecture Docs

Glossary

BID API

About

Team

Partners

Roadmap

Investors

Contact

Blog

All Documentation

Multi-Gate Validator Bootstrap

Executive Summary

Problem Statement

7-Gate Bootstrap Sequence

Image Digest Verification

24-Hour Consensus Tokens

Patent Claim