Security

The entire backend is Rust with zero unsafe blocks in first-party code. All connections use TLS 1.3 with HSTS preloading. No C, C++, or memory-unsafe languages in the critical path.

ML-KEM-1024 (FIPS 203) for key encapsulation. ML-DSA-87 (FIPS 204) for digital signatures. SLH-DSA-SHA2-256s (FIPS 205) for stateless hash-based signatures. Hybrid X25519 + ML-KEM-1024 as default key exchange.

The CryptoProvider trait enables zero-downtime algorithm rotation. When NIST publishes updated parameters or new standards, Drok rotates without service interruption. Key rotation events are recorded in the transparency log.

SLSA Level 3+ provenance attestation on all pipeline-produced artifacts. CycloneDX SBOM generation. Verified reproducible builds with dual-environment compilation and cryptographic output comparison.

TEE (Trusted Execution Environment) isolation for key generation, signing operations, and secret storage. Attestation reports are recorded in the transparency log.

Merkle tree append-only log for every security-critical operation. Inclusion proofs for any entry. Hash chain linkage prevents retroactive modification. MTP Receipts provide verifiable audit trails.

Kani model checker proofs for critical cryptographic and state-machine logic. Formal verification is not aspirational — it is a shipping requirement for security-critical code paths.