{
  "canon_meta": {
    "canon_id": "devon-module-security-canonical",
    "version": "2.0.0",
    "status": "PLANNED",
    "domain": "module_security",
    "master_authority": "master_architecture_index.md",
    "preserve_original_content": true,
    "canonical_layer_key": "trust_layer",
    "phase_origin": [
      "phase-08"
    ],
    "installation_order": 15,
    "primary_stage": "foundations_security"
  },
  "objective": "Define least-privilege and isolation rules for Devon modules.",
  "scope": [
    "module_permissions",
    "inter_module_access",
    "tool_scope",
    "filesystem_scope",
    "network_scope",
    "execution_boundaries"
  ],
  "evidence_model": [
    "module_contracts",
    "allowed_actions",
    "forbidden_actions",
    "scope_registry"
  ],
  "approval_gate": [
    "module_boundaries_defined",
    "privilege_review_complete",
    "module_policy_approved"
  ],
  "governance_reference": {
    "master_authority": "master_architecture_index.md",
    "primary_axis": "canonical_layer",
    "secondary_axis": "deployment_order",
    "preserve_phase_registry": true,
    "preserve_original_content": true
  },
  "canonical_layer_key": "trust_layer",
  "phase_origin": [
    "phase-08"
  ],
  "installation_order": 15,
  "primary_stage": "foundations_security",
  "security_governance_extensions": {
    "canonical_position": {
      "canonical_layer_key": "trust_layer",
      "phase_origin": [
        "phase-08"
      ],
      "installation_order": 15
    },
    "security_stage_group": "foundations_security"
  }
}
