Security model
A server that auto-deploys code across a datacenter looks exactly like a worm, so we treat it like one. Every hop is independently gated by consent, identity, signature, sandbox, audit, and revocation. The single property that makes it safe: the server cannot mint its own authorization.
An auto-deploying control plane and a worm are the same shape: both move code from host to host and run it. The difference is authorization. In KWAM the authorization artifact is signed by a key the server never holds. A server with full read/write to its own config and disk still cannot manufacture permission to act.
One signed, single-use, operation-bound token authorizes one action, and nothing else. It is Ed25519 / cosign-signed by an operator HSM key the server never holds, and verified at runtime, per action.
Bound to the operation: grant_id, target_set_hash, content_cid, rollout_id. Minutes-TTL for deploy. A spent-token ledger, raft-sequenced, blocks replay.
Verified at runtime, per action
# signed by an OPERATOR HSM key
# the server NEVER holds
verify signature # cosign / Ed25519
verify freshness # within TTL
verify unspent # raft ledger
verify svid # subject_glob + capability
verify content_cid # cid matches bytes
verify ticket
authorize("one action") # else fail closedgrant_id · target_set_hash · content_cid · rollout_id
Every action maps to one capability, carried by the token and checked against the node's SVID. The language's closed enum is exactly these five; discover is non-default, per-range scoped, rate-limited and audited. (The HTTP API adds one more, enroll, for onboarding a new identity.)
| Capability | What it permits | Default |
|---|---|---|
| discover | Bounded, read-only probe of a capped candidate set (HTTP GET only) | Off: per-range scoped, rate-limited, audited |
| replicate | Place SHA-gated RS fragments on attested nodes | Capability-gated |
| deploy | Move signed, content-addressed code to a target set | Capability-gated · minutes-TTL token |
| execute | Run code inside a sandbox tier ≥ the policy floor | Capability-gated · sandbox floor enforced |
| quarantine | Per-target revoke / cordon / evict | Capability-gated · rate-limited · dual-control-eligible |
A client may only request a tier at or above the policy floor (default gvisor). It can never request weaker isolation than policy allows.
Process-level isolation. The weakest permitted tier, available only where policy explicitly sets the floor this low.
Syscall filtering on top of process isolation, narrowing the kernel attack surface.
User-space kernel: the default policy floor. Strong syscall mediation without a full VM.
WebAssembly sandbox: capability-scoped, deterministic, memory-isolated execution.
Hardware-virtualized micro-VM: the strongest tier for untrusted or high-blast-radius payloads.
Any node that receives deploys or holds replicas must present a hardware-rooted attestation quote: TPM, SEV-SNP, or TDX.
Soft facts, such as MAC address, GPU-UUID, or serial number, are software-spoofable and are never sufficient alone. No quote means limited-capability / quarantine mode: the node holds no replicas and runs nothing executable.
No quote → no trust
A node without a valid hardware quote is admitted only in a degraded posture: it cannot hold replicas and cannot execute code.
soft facts: advisory only · never sufficient
Discovery is capped at a capped candidate set and is HTTP GET only. It cannot sweep a network; it cannot write. It is a scoped probe of a pre-bounded candidate set, never a scanner.
We do not claim "one round." 99% of the fleet is reached in O(log N) gossip rounds (~10–15s at 100k nodes), with a tail. Several independent controls cover that tail.
Every mTLS handshake re-checks the SVID and a short-TTL revocation epoch; a revoked node is refused at connect time.
A direct push reaches reachable nodes in sub-2s, ahead of the gossip wavefront.
A node that cannot reach the attestation authority within its short SVID TTL self-quarantines.
global_pause freezes new authorization at the source: a fleet-wide stop on deploy / replicate.
Per-target
Revoke, cordon, or evict a single target. Capability-gated, rate-limited, dual-control-eligible, audited, and reversible.
Fleet-wide
A mint-side freeze of deploy and replicate across the whole fleet: no new authorization is issued while paused.
On every restart KWAM re-verifies the cosign signature, confirms the signer is still trusted, checks transparency-log inclusion, and tests the bit against the current revocation / quarantine set. If the revocation list is unreachable, it fails closed.
An operator initiates onboarding from the HUD. The host then pulls its own identity, and the server opens zero inbound connections.
SSH-password push is explicitly rejected. Separation of duties is enforced across keys, so no single key both initiates and authorizes.
Pull, never push
# operator initiates from the HUD
host pull identity # host reaches out
server inbound = 0 # opens nothing
ssh_password_push # REJECTED
separate(keys) # duties splitA built-in, read-only review that surfaces what it finds and recommends a fix. It cannot carry the fix out itself; every remediation still flows through the existing consent-gated controls.
The review observes and reports. It detects and recommends but takes no action; it cannot self-mint authority. Any remediation it suggests still has to clear the same consent, identity, and signature gates as every other action.
Signature-based and deterministic: the same posture yields the same findings every time. Two reviewers, or a reviewer and an auditor, see the same result, with no model in the decision path.
A read-only look at the hardware posture that reports only what it can actually read and marks everything else unavailable, never a guessed or invented value.
KWAM contains blast radius. It does not claim to prevent every compromise. These risks remain, and we name them:
KWAM is proprietary and licensed directly. Tell us about your fleet and we'll walk the threat model with you.
KWAM is our intellectual property, grounded in Swiss law.
KWAM — its source code, the KWAM language, the JHMM reconstruction orchestrator, the deterministic codec runtime, and all associated AI components — is a proprietary computer program and the sole and exclusive intellectual property of KWAM.CH. As a computer program it is a protected work under the Swiss Federal Act on Copyright and Related Rights (Copyright Act, CopA), and the exclusive rights of use vest in KWAM as employer; it is further protected as a trade secret under the Swiss Federal Act Against Unfair Competition (UCA). KWAM is offered by private licence only. All rights reserved.
CopA (SR 231.1) Art. 2 para. 3 & Art. 17 · UCA (SR 241) Art. 6 · Governed by the laws of Switzerland · Place of jurisdiction: Zürich