Most of Vyrox's trust boundary comes down to one operation done correctly: verifying an HMAC signature on an incoming payload before anything else touches it. Get this wrong and the whole "deterministic, auditable" story is fiction, because an attacker can feed you forged events.
Three things I had to get right:
Verify before you parse. The signature check happens before json.loads, before the payload hits a queue, before any handler sees it. An unverified payload is hostile input and gets to do nothing.
Compare in constant time. This is the subtle one. A naive if received == expected: short-circuits on the first differing byte, and that tiny timing difference leaks how many leading bytes you got right. Given enough requests, an attacker forges a valid signature one byte at a time. The fix:
import hmac
hmac.compare_digest(received_sig, expected_sig)
Always the same time regardless of where the mismatch is. No timing oracle.
A signature without a clock is a replay. A valid HMAC proves the message wasn't tampered with, not that it's fresh. So every signed payload carries a timestamp, and anything outside a tight window (30 seconds) is rejected. Otherwise a captured-and-replayed request is indistinguishable from a real one.
Cryptography rarely fails because the algorithm is weak. It fails because the plumbing around it is.