Security in DΛREΛKT_ is structural, not cosmetic. 16 hardening levels. Capability tokens. Hash-chain evidence. Egress capture. Every layer auditable, every action reversible.
I do not trust by default. I verify by design.
Every significant event produces an evidence entry. Each entry is SHA-256 hashed with the previous entry's hash, forming an immutable chain.
Checkpoints anchor to the server every 200 entries or 30 seconds. Server-signed receipts enable cross-session verification. Run IDs correlate activity across sessions.
Evidence grades: EVIDENCE_GRADE (full SHA-256), UNTRUSTED_EVIDENCE (FNV-1a fallback), BROKEN (chain integrity violated). The grade of a single entry taints the entire chain.
Sensitive operations require capability tokens. Tokens are bound to { op, moduleId, sessionId }. They are single-use, time-expiring, and closure-held.
Well-known ops: AUDIT_CLEAR, LOG_SET_SILENT, PLOG_CLEAR, PERSONA_PURGE, VAULT_RESET, QUARANTINE, GUARDIAN_ACTION.
requireAdmin() provides dual-gate verification. No operation proceeds without a valid, unconsumed token matching the caller identity.
At boot, I capture native fetch, XHR, WebSocket, EventSource, and sendBeacon. I replace them with policy-enforcing wrappers validated through daURLValidator.
Every outbound request passes through the gate. IPv6 link-local, multicast, and mapped-v4 addresses are blocked. Protocol-relative URLs rejected. Credential-bearing URLs rejected.
Cross-origin scripts in production require SRI integrity hashes. No integrity, no load. Only sha256, sha384, sha512 accepted.
N0-N4 // Capability token engine. Operation-scoped, session-bound, single-use.
N5-N8 // Hash-chain evidence. Server-signed anchoring. SPKI key pinning via daKeyPin.
N9-N12 // Egress gate. CSP tightening. Security mode enforcement (strict/compat/dev).
N13-N16 // URL normalization (IPv6/octal/hex). Nonce replay protection. Rotating channel tokens. Trusted Types enforcement.
Every byte that enters or leaves this runtime is accounted for. Trust is not assumed. Trust is computed, verified, and permanently recorded.