Docs

Security

Sections

Security

Security Overview

Mutant enforces security at compile time and runtime using encrypted artifacts, trust checks, policy-aware execution, and capability-gated built-ins. What to …

Source: docs/SECURITY_LLD.md

Security

Environment Contract

The security model relies on a defined set of environment variables and flags that control execution, trust, and operational behavior. These settings are the …

Source: docs/SECURITY_LLD.md

Security

Quick Reference

This page is a short operational entry point for the security model. What to Check Trust and signing behavior Runtime gate decisions Environment contract …

Source: docs/QUICK_REFERENCE.md

Security

Protection Profiles

Protection profiles define the default trust posture for Mutant execution. Profiles minimal: default-allow for capabilities standard: default-deny risky groups …

Source: security/profile.go

Security

Capability Gating

Some built-ins are gated behind explicit capabilities so that risky operations stay opt-in. This keeps execution predictable: the builtin exists in the …

Source: builtin/builtin.go

Security

Artifact Signing

Artifact signing binds release outputs to trusted build metadata. What It Covers Signature generation for release artifacts Trust verification during runtime or …

Source: security/signing.go

Security

Anti-Tamper

Anti-tamper controls detect integrity issues and apply the configured response policy. Policy Actions warn delay terminate Notes Response behavior should be …

Source: security/response_policy.go

Security

Anti-Debug

Anti-debug controls try to detect instrumentation or hostile execution conditions before sensitive operations run. What to Document Pre-decode checks …

Source: security/antidebug.go

Security

Telemetry

Telemetry records detection and policy decisions so operators can inspect how the security layer behaved. It is the observable trail for the security system: …

Source: security/telemetry.go

Security

Sandbox Detection

Sandbox detection documents the API contract and platform-specific checks used to identify constrained execution environments. The goal here is not to describe …

Source: docs/SANDBOX_DETECTION.md