Security

A Rust binary is a single sealed artifact. No interpreter. No runtime loader chasing symbols. No pip/npm/gem pulling remote code at import time. No sys.path hijacking, no LD_PRELOAD games, no __pycache__ shenanigans. The binary runs, does its job, and exits.

A script, by contrast, is instructions for somebody else's runtime to execute. Every byte of attack surface you ship, you also shipped the interpreter that reads it. Every dependency the script imports at runtime, you also shipped the resolver that fetches it. The attack surface of a 10MB Rust binary is the binary. The attack surface of a 10KB Python script is Python itself plus every transitive import plus the shell plus the PATH plus the working directory.

Latency matches. Compiled Rust cold-start is measured in milliseconds. Interpreted Python cold-start is typically hundreds of milliseconds before your code runs. Shell script with a dozen pipe calls forks a process per command. Attackers love long cold starts — they make window-of-exploitation analysis easier. Cold-starting fast is a defensive posture.

Buffer overflows. Use-after-free. Double-free. Null-pointer dereference. Data races. These are the bug classes that make up ~70% of exploitable CVEs in C/C++ systems. Rust's type system eliminates them by construction, not by convention.

Our stack is 100% Rust at the application layer. Zero C dependencies in application code (system libs like OpenSSL and the kernel itself are unavoidable and pinned). No unsafe blocks in application code. No FFI shims waiting for a format-string bug.

CISA Secure-by-Design aligned. Executive Order 14028 aligned. NIST SP 800-218 SSDF aligned. Not marketing words — actual compliance posture.

Every AI model we ship (pixel-forge, kova) carries a NanoSign signature — a 36-byte cryptographic hash appended to the file. Verified at load time before any inference. Unsigned or tampered files get rejected. No certificate authority, no network call, no infrastructure. The signature travels with the file. Works air-gapped.

Counterfeit detection is physics, not policy. If somebody forks pixel-forge and publishes a malicious model claiming to be ours, the signature check fails on every install that verifies.

Full details: /arch · Signed format: BLAKE3 over the file minus the trailing 36 bytes

The doom-prepper rule: never design as if attackers will fail to get in. Design as if they already did. Then ask: when they have everything, how do we minimize damage and detect tampering loudly?

Nine first principles applied across every repo:

• External witness — every record that matters hashes to a public git commit (neutral timestamp authority)
• No single point of compromise — signing keys in hardware, never in software
• Default air-gap — network for sync and publishing only, not correctness
• Append-only storage — delete is not a function, reversing entries are the correction pattern
• Cryptographic audit chain — every day's state derives from yesterday's hash
• Disclosed methodology — if an auditor can verify the algorithm, they can verify the outputs
• Separation of duties in software — entry, approval, audit in different trust zones
• Redundancy across trust zones — local + cloud + offline, different credentials each
• Regular tamper sims — Triple Sims extended to breach detection, run on every merge

Full threat model: P26 Moonshot Frame · Canonical threat model doc shipped to every repo in the portfolio

Every binary runs on hardware we own. Local LLM inference via kova. Local GPU compute via any-gpu. Local mesh comms via ghost-fabric. Local deploy via Gemini Man atomic replacement. No third-party SaaS in the critical path for anything we ship. Cloudflare Zero Trust for tunneling only — if CF disappeared tomorrow, we'd swap in Tailscale Funnel before dinner.

Every line of code is Unlicensed (public domain). No license-revocation risk. No rug-pull risk. No "enterprise edition" tier. Source is always public, always auditable, always yours to fork.

Supply chain: all Rust deps sourced from crates.io with versions pinned in Cargo.lock. cargo audit in CI. Reproducible builds where the Rust toolchain supports it. No vendored binaries. No pre-built shared libs. Nothing arrives at runtime you didn't sign off on at compile time.

Every repository at github.com/cochranblock is public. Every commit has a GitHub-neutral timestamp. Every release binary carries a NanoSign signature. Every claim on this site traces back to a git commit you can read.

If you think we're full of it, clone the repos, reproduce the builds, verify the signatures, audit the code. That is the whole point. We get stronger when you look.

Found a real bug? Open an issue or email [email protected]. Responsible disclosure rewarded with credit and a thank you. No bounty program because we don't have investors' money to throw around, but we will put your name on the commit that fixes it.