─┤ Block Parliament Security Policy ├─

The validator's withdrawal authority key (AN58nFDFdehKbP7d3KALhnCJAsWNE7cWpCR6dLVAj9xm) is stored separately from the validator identity and vote account keys. This key is kept offline and never resides on the validator server, preventing unauthorized fund access even in the event of server compromise.

The validator identity key is stored on the server with restricted file permissions (owned by the sol user, mode 600). Administrative access (via the ubuntu account) is separate from the validator process account (sol), which has no sudo privileges.

Critical keys are backed up to hardware wallets stored in secure physical locations. Seed phrases are never stored digitally or transmitted over networks.

The validator runs on dedicated bare-metal hardware (not shared cloud VMs) hosted in a professional data center with redundant power and network connectivity. Hardware specs: AMD EPYC 24-core CPU, 377 GB RAM, NVMe storage in RAID configuration.

Linux installation with only essential packages plus monitoring agents (Alloy for metrics, Prometheus exporters). The validator process runs under a dedicated unprivileged user account.

• • Strict firewall rules: only necessary ports exposed (Solana gossip/turbine/repair, SSH, metrics exporter)
• • SSH access via public-key authentication only (password auth disabled)
• • fail2ban active with aggressive settings (5 attempts → 12hr ban)
• • DDoS mitigation provided at the data center level

Server access is limited to the operator (Gabe Rodriguez) and one contractor (Christopher Vannelli). No other third-party vendors have access to validator infrastructure.

• • Administrator account (ubuntu) separate from validator process account (sol)
• • SSH root login disabled
• • Validator user cannot sudo or access admin functions

A dedicated watchtower service monitors validator health from an independent location (separate from the validator itself). Alerts are sent via Telegram for:

• • Validator delinquency (not voting)
• • Health check failures
• • Vote account issues

System and validator metrics (CPU, memory, disk, slot lag, vote performance) are collected and stored in Grafana Cloud for trend analysis and incident investigation.

Validator performance is publicly verifiable via Stakewiz, validators.app, and on-chain data.

Running the Jito-enhanced Agave client for MEV rewards. As an Anza core developer, the operator has deep familiarity with the client codebase and can respond quickly to issues.

• • New releases tracked via Solana Tech Discord
• • Updates tested on testnet validator before mainnet
• • Tower file backed up before any upgrade (prevents consensus issues)
• • OS security patches applied regularly

The validator runs standard Jito-Agave releases without custom consensus modifications that could affect network behavior.

• • Block Engine: Frankfurt (eu-frankfurt)
• • Tip programs: Official Jito mainnet contracts
• • Current commission rates: view on Solscan ↗