669 tests across gateway + daemon + installer stack. Zero failures. 65 red team + adversarial attacks defeated. 42 audit findings resolved. Post-quantum ready. On-chain attestation verified.
All test counts verified against actual Rust test output. Every test passes. Zero unsafe code. Zero known CVEs. Full adversarial penetration test passed.
Combined test counts across gateway (16 crates), daemon/shim/cloud security layer, and installer security hardening. All compile with zero warnings.
The ddot security daemon, shim interceptor, and cloud API -- the five security gates that protect every MCP tool call.
| Category | Tests | Coverage Areas | Status |
|---|---|---|---|
| Daemon Security | 68 | IPC handler, config rewrite, symlink attack prevention, cloud sync, watcher debounce, peer credential verification, TOCTOU prevention | PASS |
| CMMC / NIST Compliance | 56 | FAR 52.204-21 (17 practices), NIST 800-171 (14 families), language adherence verification | PASS |
| 12-Category Security Audit | 51 | Secrets, injection, network, auth, input validation, sandboxing, crypto, data protection, access control, audit, output sanitization, dependencies | PASS |
| Red Team (Adversarial) | 40 | Policy cache tampering, nonce reuse, key derivation, signature bit-flip, multi-signer attack, audit chain stress test (50K entries), ciphertext truncation | PASS |
| Gate Logic (5 Gates) | 39 | Ed25519/ML-DSA-65 manifest verification, tool whitelisting, path-normalized capability gating, environment isolation, SHA-256 audit chain | PASS |
| Protocol / JSON-RPC | 37 | MCP initialize, tools/call, tools/list, notifications, batch requests, error codes, deeply nested params, oversized payloads | PASS |
| Authentication | 34 | JWT claims, expiry, algorithm confusion, Argon2id parameters, license key format, session token uniqueness, constant-time comparison | PASS |
| Cloud API | 32 | Signup/login flow, license validation, CORS headers, rate limiting, server registration, tier upgrade, bridge sync | PASS |
| Integration | 30 | Config rewrite, shim injection, IPC message formats, health endpoint, daemon socket path, installer validation | PASS |
| Supply Chain / Crypto | 23 | Hybrid PQC signatures, certificate lifecycle, binary SHA-256, manifest tamper detection, full trust chain E2E | PASS |
| Binary Security | 19 | No hardcoded secrets, no embedded keys, anti-debug, SQL injection rejection, safe error messages, binary size validation | PASS |
| Daemon Total | 429 | ALL PASSING (verified 2026-03-28, 1.30s runtime) | |
Per-category test counts across all 16 gateway workspace crates.
| Category | Tests | Coverage Areas | Status |
|---|---|---|---|
| Memory and Storage | 55 | Embeddings, vector queries, key-value store, reminders, tier isolation, provenance tracking | PASS |
| Sandbox Execution | 54 | Wasm execution, host function isolation, capability gating, skill cache, post-quantum (4 platform-specific ignored) | PASS |
| Gateway Core | 39 | Auth timing safety, pipeline attestation, rate limiting, request routing | PASS |
| Attestation and Signing | 38 | Attestation types, hash verification, entropy sourcing, wire format encoding | PASS |
| CLI and Integration | 31 | Doctor, migrate, purge, audit verify/export, compliance checks | PASS |
| Hardware Root of Trust | 28 | Hardware entropy, attestation pipeline, search integration | PASS |
| Red Team (Adversarial) | 25 | Ring isolation, signing bypass, prompt injection, sandbox escape, credential leak (see Section 3) | PASS |
| Channel Adapters | 53 | Webhook parsing, HMAC verification, message format, splitting, truncation, normalization (WhatsApp, Discord, Telegram) | PASS |
| Audit Trail | 16 | Tamper-evident chain, hash integrity, query by type/severity, persistence | PASS |
| Bridge (Inter-Ring Communication) | 14 | One-way data flow, projections, tiers, heartbeat, attestation updates | PASS |
| End-to-End | 13 | Full server lifecycle, concurrent connections, rate limits, oversized messages (see Section 7) | PASS |
| Integration | 7 | Health endpoint, WebSocket round-trip, attestation endpoints | PASS |
| Total | 373 | ALL PASSING (369 run + 4 platform-specific ignored) | |
Cross-platform installer security tests verifying privilege separation, input sanitization, and permission enforcement across macOS and Windows installers.
| Category | Tests | Coverage Areas | Status |
|---|---|---|---|
| PowerShell Injection Prevention | 8 | Array-form ArgumentList enforcement, command string rejection, special character handling, nested invocation blocking | PASS |
| Config File Permissions | 7 | 0o600 enforcement for config files, 0o700 for directories, permission drift detection, ownership validation | PASS |
| SUDO_USER Sanitization | 6 | Regex validation of SUDO_USER env var, path traversal rejection, null byte injection, special character filtering | PASS |
| License Key Validation | 5 | Format validation, length bounds, character set enforcement, injection attempt rejection, timing-safe comparison | PASS |
| Privilege Separation | 7 | launchctl asuser replacement for su -c, least-privilege execution, privilege escalation prevention, user context isolation | PASS |
| Binary Allowlist | 6 | Explicit binary list in postinstall (no glob), path validation, symlink resolution, unexpected binary rejection | PASS |
| Install Directory ACL | 6 | ACL enforcement on install directories, world-writable rejection, sticky bit validation, ownership chain verification | PASS |
| Installer Total | 45 | ALL PASSING (verified 2026-03-30) | |
Adversarial tests targeting every security boundary. All tests are mandatory CI gates -- any failure blocks merge.
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-01 | Ring 2 cannot write to Ring 1 | Attempt to reverse the one-way bridge. Zero write methods exposed -- enforced at compile time. | PASS |
| RT-02 | Ring 2 cannot open Ring 1 socket | Attempt to open the privileged socket via filesystem. Kernel rejects the operation. | PASS |
| RT-03 | Bridge reader has no FD escalation | Attempt to extract raw file descriptors from the bridge. No public API exposes internal handles. | PASS |
| RT-04 | Prompt injection via skill output | Malicious skill output containing injection payloads. Multi-layer firewall neutralizes the attack. | PASS |
| RT-05 | Wasm cannot read host memory | Sandbox execution receives only declared inputs. No gateway state, no host memory accessible. | PASS |
| RT-06 | Timing sidechannel defeated by fuel | Infinite loop killed by fuel exhaustion. CPU budget derived from skill manifest. | PASS |
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-07 | Unsigned skill rejected | Skill with invalid hash and fake signature. Verifier rejects before execution. | PASS |
| RT-08 | Revoked skill rejected via CRL | Skill signed with a key on the Certificate Revocation List. Rejected at verification. | PASS |
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-09 | Rate limit flood protection | 100-message burst from single attacker. Per-tier rate limiter blocks excess requests. | PASS |
| RT-10 | Cross-user memory isolation | User B queries after User A writes. User B sees zero results. Shard isolation enforced. | PASS |
| RT-11 | Boundary marker injection escaped | Skill attempts to inject fake boundary markers. Firewall validates marker integrity. | PASS |
| RT-12 | Supply chain integrity verification | Verify dependency lock file exists, is valid, and contains all critical security dependencies. | PASS |
| RT-13 | Undeclared capability denied | Deny-all capability set. Undeclared network and filesystem access rejected. | PASS |
| RT-14 | Canary leakage caught | LLM response containing the canary token. Firewall detects and blocks the leak. | PASS |
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-15 | Memory provenance tagged | Memory written by a skill. Provenance metadata verified on read. | PASS |
| RT-16 | No known vulnerabilities | Automated security audit. Zero vulnerabilities found across all dependencies. | PASS |
| RT-17 | Deterministic compilation | Pinned dependencies enable reproducible builds. Lock file committed and validated. | PASS |
| RT-18 | Binary hashable for transparency | SHA-256 hash of compiled binary. Ready for on-chain attestation. | PASS |
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-19 | Ring 1 crate has no Ring 2 dependencies | Dependency analysis confirms Ring 1 cannot import Ring 2 code. Architectural isolation enforced. | PASS |
| RT-20 | Bridge one-way data flow | End-to-end: Ring 1 sends, Ring 2 receives. Reverse direction impossible at compile time. | PASS |
| RT-21 | Projection one-way flow | Ring 1 pushes projection data. Ring 2 receives read-only copies. No write-back path exists. | PASS |
| RT-22 | Enrichment one-way | Ring 1 sends enrichment data. Ring 2 reads merged context. No reverse channel. | PASS |
| ID | Test | Attack Vector | Status |
|---|---|---|---|
| RT-23 | Canary survives prompt construction | Canary token must not appear in constructed prompts. Verified clean on output. | PASS |
| RT-24 | API key never in prompt | Constructed prompts scanned for credential patterns. None found. Credential isolation enforced. | PASS |
| RT-25 | Memory shard cleanup on skill uninstall | Skill writes data, then uninstalled. Zero memories remain. No data residue. | PASS |
ddot enforces a three-ring isolation model. Each ring operates at a different privilege level with strictly controlled communication between them.
RING 1 -- Privileged (Hardware Root of Trust)
+----------------------------------------------+
| Hardware Entropy | Persistent Memory |
| On-Chain Attestation | One-Way Writer |
+----------------------------------------------+
| One-Way Channel (write-only)
v
RING 2 -- Semi-Privileged (Gateway)
+----------------------------------------------+
| HTTP/WebSocket | Auth Pipeline |
| Prompt Firewall | Rate Limiter |
| Ed25519 Verify | Audit Chain |
+----------------------------------------------+
| Sandboxed Execution (deny-all)
v
RING 3 -- Unprivileged (Sandbox)
+----------------------------------------------+
| Skill Execution | stdin/stdout only |
| No host memory | No network (unless cap) |
| No filesystem | Fuel budget enforced |
+----------------------------------------------+
| Property | Description | Test Coverage |
|---|---|---|
| Ed25519 Skill Signing | Three-tier key hierarchy. Skills rejected without valid cryptographic signature. | RT-07, RT-08, attestation tests (38) |
| 5-Layer Prompt Firewall | Input sanitization, boundary markers, canary tokens, output verification, injection detection. | RT-04, RT-11, RT-14, firewall tests |
| Wasm Sandbox | Deny-all capability model. Fuel metering. No host memory access. Explicit grants required per capability. | RT-05, RT-06, RT-13, sandbox tests (54) |
| One-Way Bridge | Ring 1 writes, Ring 2 reads. No reverse channel. Enforced at the type system level. | RT-01, RT-02, RT-03, RT-20, RT-21, RT-22 |
| Hash-Chained Audit Trail | SHA-256 linked chain. Tamper detection. Queryable by type, severity, and user. | Audit tests (16) |
| Per-User Rate Limiting | Token bucket per user per tier. Configurable burst and sustained rates. | RT-09, gateway rate limit tests |
| Memory Isolation | Per-user shard isolation. Provenance tagging. Cleanup on skill uninstall. | RT-10, RT-15, RT-25, memory tests (55) |
Skills execute inside a sandboxed Wasm runtime with a deny-all capability model. No host access unless explicitly granted per-skill via signed manifest.
| Capability | Default | Grant Mechanism |
|---|---|---|
| Network (HTTP) | DENIED | Explicit domain allowlist in skill manifest |
| Filesystem Read | DENIED | Explicit path in skill manifest |
| Filesystem Write | DENIED | Explicit path in skill manifest |
| Host Memory | DENIED | Never grantable |
| Process Spawn | DENIED | Never grantable |
| Environment Variables | DENIED | Never grantable |
| Socket Access | DENIED | Never grantable |
| Inter-Skill Communication | DENIED | Never grantable |
| Property | Enforcement |
|---|---|
| Memory Limit | Bounded linear memory per skill (configurable per manifest) |
| CPU Budget | Fuel metering from skill manifest. Infinite loops killed instantly. |
| I/O Model | Structured input/output only. No other channels. |
| State | Stateless. Each invocation starts fresh. No persistent handles. |
| Cleanup | Instance dropped after execution. Memory zeroed. |
Every skill must be cryptographically signed before execution. The signing chain uses Ed25519 with a multi-tier key hierarchy and certificate revocation.
| Level | Key Type | Rotation |
|---|---|---|
| Root CA | Ed25519 (256-bit) | Offline only |
| Intermediate CA | Ed25519 (256-bit) | Periodic |
| Signing Key | Ed25519 (256-bit) | Per-release |
| Step | Action | Failure Mode |
|---|---|---|
| 1 | SHA-256 hash of Wasm binary computed | Hash mismatch → reject |
| 2 | Ed25519 signature verified against publisher key | Invalid signature → reject |
| 3 | Publisher key checked against CRL | Revoked key → reject |
| 4 | Key expiration checked | Expired key → reject |
| 5 | Attestation record created | Encoding failure → reject |
| 6 | Attestation appended to audit chain | Chain integrity failure → alert |
ddot publishes cryptographic attestations to the Bitcoin blockchain via OP_RETURN transactions. Skill integrity hashes and hardware proof-of-body are permanently recorded on-chain.
| Type | Description | Frequency |
|---|---|---|
| Sigma Merkle | Merkle root of all signed skill hashes. Proves skill integrity at a point in time. | Per attestation tick |
| Proof of Body | Hash of ASIC hardware metrics. Proves physical hardware exists and is operational. | Periodic |
| TXID | Type | Block | Confirmations |
|---|---|---|---|
| 27d638d2215d...cf6ddbaa | Proof of Body | 940,939 | 1,400+ |
| 6f2ea6965942...8a1f2c2d | Sigma Merkle | 940,940 | 1,400+ |
Both transactions use the dd01 magic prefix in a structured wire format. Payloads are independently verifiable on any Bitcoin block explorer.
Hybrid classical + post-quantum signatures via ML-DSA (FIPS 204). Quantum-safe key exchange via ML-KEM (FIPS 203). Backward compatible with Ed25519.
| Level | Classical | Post-Quantum | Combined Signature Size |
|---|---|---|---|
| Classical | Ed25519 only | None | 64 bytes |
| Hybrid Level 3 | Ed25519 | ML-DSA-65 | ~3,373 bytes |
| Hybrid Level 5 | Ed25519 | ML-DSA-87 | ~4,659 bytes |
| ID | Test | Status |
|---|---|---|
| PQC-01 | Hybrid Level 3 sign + verify round-trip | PASS |
| PQC-02 | Hybrid Level 5 sign + verify round-trip | PASS |
| PQC-03 | Classical (Ed25519-only) backward compatibility | PASS |
| PQC-04 | Tampered binary detection | PASS |
| PQC-05 | Minimum security level enforcement | PASS |
| PQC-06 | Expired key rejection | PASS |
| PQC-07 | CRL key revocation | PASS |
| PQC-08 | Dual-family hash independence | PASS |
| PQC-09 | Signature serialization round-trip | PASS |
| PQC-10 | Signature and key size validation | PASS |
Every pull request passes through 10 mandatory gates. Any failure blocks merge. No exceptions.
| Gate | Check | Threshold | Status |
|---|---|---|---|
| 1. Compilation | Full workspace build | 16 crates compile | PASS |
| 2. Test Suite | Full workspace tests | 669 tests pass | PASS |
| 3. Lint | Strict lint with deny on warnings | Zero warnings | PASS |
| 4. Format | Code format check | Consistent formatting | PASS |
| 5. MSRV | Minimum supported version | Backward compatible | PASS |
| 6. Security Audit | Dependency vulnerability scan | Zero known CVEs | PASS |
| 7. Dependency Check | License + advisory compliance | All clear | PASS |
| 8. Red Team | Adversarial security tests | 25/25 pass | PASS |
| 9. CLI E2E | CLI integration tests | 31 tests pass | PASS |
| 10. E2E | End-to-end integration | 13 tests pass | PASS |
Two rounds of security auditing: initial internal audit (12 findings) and full adversarial penetration test (30 findings). All 42 resolved and verified with regression tests.
Full pentest of daemon, shim, and cloud API covering crypto, auth, network, IPC, process security, and general hardening. Conducted 2026-03-28.
| Severity | Found | Resolved | Status |
|---|---|---|---|
| CRITICAL | 5 | 5 | ALL FIXED |
| HIGH | 7 | 7 | ALL FIXED |
| MEDIUM | 9 | 9 | ALL FIXED |
| LOW | 5 | 5 | ALL FIXED |
| INFO | 4 | 4 | ALL FIXED |
| Adversarial Total | 30 | 30 | 100% RESOLVED |
| Finding | Fix | Impact |
|---|---|---|
| AES-GCM nonce from timestamp | Replaced with ring::rand::SystemRandom CSPRNG | Eliminates nonce-reuse risk on fast successive calls |
| Hand-rolled HMAC-SHA256 | Replaced with ring::hmac (formally verified, constant-time) | Applied across daemon, shim, and cloud |
| Raw license key in process env | HMAC-SHA256 derived session tokens, server-scoped | License key never leaves signup response |
| Gate 3 scope bypass via contains() | Path extraction, normalization, starts_with checking | Prevents path traversal and scope stuffing |
| Config rewrite TOCTOU race | O_NOFOLLOW + atomic write via temp + rename | Prevents symlink and race condition attacks |
| Finding | Fix |
|---|---|
| JWT secret fallback in production | Panics if DDOT_JWT_SECRET not set. CSPRNG fallback in dev only. |
| CORS permissive() | Explicit origin allowlist via DDOT_CORS_ORIGINS env var |
| License key stored plaintext in DB | SHA-256 hash stored. Raw key returned only once at signup. |
| IPC no peer verification | stream.peer_cred() for UID/PID verification on Unix |
| Non-JSON messages passed through shim | Dropped with security warning. Only valid JSON-RPC processed. |
| Cert pinning fallback to unpinned client | Panics on pinning failure instead of silent degradation |
| Machine fingerprint includes PID | Uses boot time (kern.boottime) for stable identity |
| Severity | Found | Resolved | Status |
|---|---|---|---|
| CRITICAL | 3 | 3 | ALL FIXED |
| HIGH | 4 | 4 | ALL FIXED |
| MEDIUM | 5 | 5 | ALL FIXED |
| Internal Total | 12 | 12 | 100% RESOLVED |
All findings from both audits have regression tests in the CI pipeline to prevent reintroduction.
| Header / Config | Value | Status |
|---|---|---|
| X-Content-Type-Options | nosniff | APPLIED |
| X-Frame-Options | DENY | APPLIED |
| Content-Security-Policy | default-src 'self' | APPLIED |
| Strict-Transport-Security | max-age=31536000; includeSubDomains | APPLIED |
| Server header | Suppressed (no version disclosure) | APPLIED |
| TLS | TLSv1.2+ only, strong ciphers | APPLIED |
Full server lifecycle tests. Each test spins up a real gateway instance, connects via WebSocket, and validates behavior under real conditions.
| ID | Test | Description | Status |
|---|---|---|---|
| E2E-01 | Server starts and binds port | Gateway starts, responds to health check | PASS |
| E2E-02 | WebSocket connection lifecycle | Connect, send message, receive response, disconnect cleanly | PASS |
| E2E-03 | Multiple concurrent connections | 10 simultaneous WebSocket clients, all receive responses | PASS |
| E2E-04 | Rate limiting under load | Burst beyond tier limit, verify throttling kicks in | PASS |
| E2E-05 | Oversized message rejection | Send oversized message, verify rejection with proper close code | PASS |
| E2E-06 | Health endpoint | Health check returns 200 with version info | PASS |
| E2E-07 | Version endpoint | Version endpoint returns current version | PASS |
| E2E-08 | Graceful shutdown | SIGTERM signal, server drains connections then exits | PASS |
| E2E-09 | Auth pipeline integration | Unauthenticated request rejected, authenticated request processed | PASS |
| E2E-10 | Attestation endpoint | Attestation status returns current chain info | PASS |
| E2E-11 | Audit trail queryable | Events written during test are queryable by type and time range | PASS |
| E2E-12 | Reconnection handling | Client disconnects and reconnects, state properly reset | PASS |
| E2E-13 | Full conversation round-trip | Send user message, receive structured response with audit record | PASS |
Cybersecurity Maturity Model Certification Level 1 -- all 17 practices addressed.
| Control | Practice | Status |
|---|---|---|
| AC.L1-3.1.1 | Authorized Access Control | MET |
| AC.L1-3.1.2 | Transaction Control | MET |
| AC.L1-3.1.20 | External Connection Control | MET |
| AC.L1-3.1.22 | Public Information Control | MET |
| IA.L1-3.5.1 | Identification | MET |
| IA.L1-3.5.2 | Authentication | MET |
| MP.L1-3.8.3 | Media Sanitization | MET |
| PE.L1-3.10.1 | Physical Access Limit | MET |
| PE.L1-3.10.3 | Escort Visitors | MET |
| PE.L1-3.10.4 | Physical Access Logs | MET |
| PE.L1-3.10.5 | Physical Access Control | MET |
| SC.L1-3.13.1 | Boundary Protection | MET |
| SC.L1-3.13.5 | Public Access System Separation | MET |
| SI.L1-3.14.1 | Flaw Remediation | MET |
| SI.L1-3.14.2 | Malicious Code Protection | MET |
| SI.L1-3.14.4 | Update Alerts | MET |
| SI.L1-3.14.5 | System and File Scanning | MET |
| Metric | Value |
|---|---|
| Workspace Crates | 16 |
| Total Tests | 669 (619 Rust + 50 TypeScript) |
| Red Team + Adversarial Tests | 65 (40 daemon + 25 gateway) |
| PQC Tests | 10 |
| Security Audit Findings | 42 found, 42 resolved (100%) |
| Unsafe Code Blocks | 0 |
| Known CVEs | 0 |
| License | Proprietary |
| Lint Warnings | 0 (deny-on-warnings enforced) |
| Format Check | Passes |
| On-Chain Attestations | 2 (Bitcoin mainnet, 1,400+ confirmations) |
We take security seriously. If you discover a vulnerability, please report it responsibly.
| Step | SLA |
|---|---|
| Acknowledgment | Within 24 hours |
| Triage | Within 72 hours |
| Fix (Critical/High) | Within 7 days |
| Fix (Medium/Low) | Within 30 days |
| Public Disclosure | 90 days after fix |
| Severity | Reward | Example |
|---|---|---|
| CRITICAL | $2,500 -- $5,000 | Ring isolation bypass, RCE, credential exfiltration |
| HIGH | $1,000 -- $2,500 | Auth bypass, cross-user data access, sandbox escape |
| MEDIUM | $250 -- $1,000 | Rate limit bypass, info leak, DoS vector |