Get access
Capability-scoped, by default

Security
is the manifest.

Omega's security model isn't a layer bolted on after development — it's the manifest. Every brane runs against an explicit capability set. Nothing the manifest doesn't name is reachable from inside. WASI 0.2 enforces it at the language level; seccomp + Firecracker enforces it at the kernel level; the hash-chained audit log proves it after the fact.

[lang layer]
WASI 0.2 capability imports
[kernel layer]
seccomp · KVM · Firecracker
[network layer]
allowlist · TLS 1.3 · mTLS
[audit]
hash-chained · ed25519-signed
At a glance

The properties
that matter.

0
ambient authority

No /proc, no /sys, no DNS, no syscall the manifest didn't name. Period.

4
enforcement layers

WASI · seccomp · Firecracker · allowlist. Each is sufficient on its own.

TLS 1.3
in-transit minimum

rustls-only. No OpenSSL. mTLS available for every internal edge.

AGE
at-rest, per-tenant

X25519 keys derived from the tenant root. The substrate operator never sees plaintext.

In the manifest

How you
describe it.

security-baseline.zgraph.toml
[brane.api]
substrate   = "gaia"
capability  = "standard"
image       = "omega/api:1.4"
// the manifest IS the security policy

// the manifest IS the security policy

In operation

What it
looks like running.

$ω security audit --brane api --since 1h
event count notable spawn 412 — kill 408 graceful · pooled cap.change 0 — egress.denied 3 example.evil:443 (×3) …
$ω security verify-chain --brane api
→ walking 412 events from chain HEAD ✓ all signatures valid (substrate + brane) ✓ no chain breaks ✓ no out-of-order events ✓ HEAD anchored to sigil:omega-audit · block 18,221
default
deny everything; capability is the allowlist
language layer
WASI 0.2 component imports — link-stage enforced
kernel layer
seccomp + KVM (Frontier adds Firecracker jailer)
network
rustls TLS 1.3 · mTLS · allowlist egress
secrets
OpenBao · age-x25519 at rest · per-tenant keys
audit
hash-chained · two-signature · external anchor optional
By design

What this
surface does.

Capability surface = security model

If the manifest doesn't name it, the brane can't reach it. WASI 0.2 enforces this at link time, not at runtime.
CAPABILITY

Frontier branes get a kernel boundary

For workloads with real JIT or kernel needs, Firecracker MicroVMs add a hardware-enforced isolation boundary on top of capability-scoping.
JAIL

Hash-chained, signed twice

Spawn, kill, capability change, egress denial — every event enters a hash-chained log with two signatures (brane + substrate). Optionally anchored to Sigil for external audit.
AUDIT

SOC 2 · ISO 27001

The substrate operator passes annual audit. The capability model and audit trail support BAA-aligned and FedRAMP-aligned deployments on Habitat.
COMPLIANCE
/security/capabilities
Capability tokens →

Arsenal ACTs: signed, scoped, audience-bound. The proof a brane carries.

/security/lineage
Lineage chain →

Every agent traces back to a human root, cryptographically.

/security/sandboxing
Sandboxing →

Four enforcement layers from language to kernel.

/security/compliance
Compliance →

SOC 2, ISO 27001, BAA-ready, FedRAMP-aligned (Habitat).