Infrastructure Overview¶
This platform runs on dedicated local hardware (not cloud). All 13 services ("primals") are pure Rust microservices that handle security, data, networking, and provenance.
| Component | Status | What it does |
|---|---|---|
| Primals (13 services) | All alive | Modular Rust services — crypto (BearDog), networking (SongBird), storage (NestGate), etc. |
| MethodGate | Enforced | Every service rejects unauthenticated requests (capability-based access) |
| Ionic tokens | Live | Ed25519-signed, time-limited access tokens with per-user scope |
| Firewall | Active | All service ports listen only on localhost, deny-by-default |
| darkforest validator | v2.0 | 179 PASS, 0 FAIL, 6 informational findings |
Security Layers¶
Network¶
- All 14 service ports bound to
127.0.0.1only (not reachable from LAN or internet) - Outbound internet blocked for non-admin users (localhost + LAN preserved)
- DNS restricted to local stub resolver
- Process isolation between users (
hidepid=2on/proc)
Authentication¶
- MethodGate: every service checks capability tokens before executing any request
- Token flow: create identity → issue scoped session token → signed with Ed25519
- Tunnel managed by
tunnelKeeper(pure Rust Cloudflare API client)
Provenance¶
- Every computation is hashed (BLAKE3), linked in a DAG, and recorded in an append-only ledger
- 235+ automated science validation checks across 11 bioinformatics workloads
- W3C PROV-compatible attribution with Ed25519 witness signatures
Sovereignty Roadmap¶
The goal is to eliminate all external dependencies (Cloudflare, etc.) and run entirely on self-hosted, pure Rust infrastructure.
Horizon 1: External Security ██████████ COMPLETE — 179 PASS, 0 FAIL
Horizon 2: Self-Hosted ██░░░░░░░░ Tunnel mgmt done (tunnelKeeper), auth tokens next
Horizon 3: Primal-Only █░░░░░░░░░ Full sovereignty — replace all external services