secure_data_format

package module

v1.0.0 Latest Latest Go to latest Published: May 31, 2026 License: MIT Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/0TrustCloud/secure_data_format

Links

Open Source Insights

README ¶

Secure Data Format (SDF)

SDF is a high-performance, polymorphic cryptographic token engine designed for zero-trust architectures. It standardizes structured logs, permission grants, and hardware proof-of-possession assertions into a single, unified, and cryptographically verifiable data format.

Architecture Overview

SDF acts as a universal state machine. It consumes OpenGraph-style scripts, compiles them into structured payloads, hashes them into a deterministic state root, and persists them via the ultimate_db transactional storage layer.

Core Features

Polymorphic Execution: A single engine handles logs (LOG), capability grants (GRANT), and device authentication (POP).
Cryptographic State Integrity: Every token is automatically hashed (state_root_hash) and signed (RS256), creating an immutable trail of state transitions.
Transactional Persistence: Integrates directly with ultimate_db using 2PL (Two-Phase Locking) to ensure atomicity across World State and Transaction Ledgers.
Hardened Parsing: Includes a recursive, depth-limited parser to mitigate DoS/Stack Overflow vectors in dynamic script evaluation.

Installation

go get github.com/0TrustCloud/secure_data_format

Quick Start

1. Initialize the Engine

The engine is decoupled from storage via the ultimate_db.KVStore and ultimate_db.LockManager interfaces.

engine, err := securedataformat.New(myKVStore, myLockMgr, "issuer-id", privateKey)

2. Compile an Execution Script

SDF uses an OpenGraph-style syntax for dynamic contract definition.

script := `
    grant:access.capability#vault-01(
        scope("read")
        conditions:mfa.required("true")
    )
`

tx := securedataformat.DataInvocation{
    TargetAddress: "vault-manager",
    Caller:        "user-admin",
    Method:        "DELEGATE",
    Profile:       securedataformat.ProfileGrant,
}

token, err := engine.CompileSecureData(script, tx)

Security Design

Feature	Protection Mechanism
Replay Attacks	Automatic JTI generation & nonce sequencing.
Data Tampering	Canonical JSON state hashing (SHA-256).
DoS Attacks	Strict recursive AST depth limiting (max 25).
Concurrency	2PL via `LockManager` for ACID-compliant state writes.

Storage Integration

SDF commits to ultimate_db using a bimodal approach:

World State (state:<profile>:<address>): Current snapshot of the target resource state.
Transaction Ledger (transaction_ledger:<profile>:<address>:<nonce>): Immutable receipt of the execution footprint.

License

MIT

Documentation ¶

Index ¶

type DataInvocation
type Element
- func (e Element) Eval() string
type Node
type Parser
- func NewParser(src string) *Parser
- func (p *Parser) Parse() ([]Node, error)
type SecureDataContext
type SecureDataEngine
- func New(store ultimate_db.KVStore, lockMgr ultimate_db.LockManager, issuer string, ...) (*SecureDataEngine, error)
- func (sde *SecureDataEngine) CompileSecureData(script string, tx DataInvocation) (string, error)
type Text
- func (t Text) Eval() string
type TokenProfile

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DataInvocation ¶

type DataInvocation struct {
	TargetAddress string                 `json:"target_address"`
	Caller        string                 `json:"caller"`
	Nonce         uint64                 `json:"nonce"`
	Method        string                 `json:"method"`
	Profile       TokenProfile           `json:"profile"`
	Args          map[string]interface{} `json:"args"`
}

type Element ¶

type Element struct {
	Tag        string
	Attributes map[string]string
	Children   []Node
}

func (Element) Eval ¶

func (e Element) Eval() string

type Node ¶

type Node interface{ Eval() string }

type Parser ¶

type Parser struct {
	// contains filtered or unexported fields
}

func NewParser ¶

func NewParser(src string) *Parser

func (*Parser) Parse ¶

func (p *Parser) Parse() ([]Node, error)

type SecureDataContext ¶

type SecureDataContext struct {
	W          http.ResponseWriter
	R          *http.Request
	Claims     map[string]interface{}
	TokenNonce string
}

type SecureDataEngine ¶

type SecureDataEngine struct {
	Store   ultimate_db.KVStore
	LockMgr ultimate_db.LockManager
	Mux     *http.ServeMux
	// contains filtered or unexported fields
}

func New ¶

func New(store ultimate_db.KVStore, lockMgr ultimate_db.LockManager, issuer string, privateKey *rsa.PrivateKey) (*SecureDataEngine, error)

New instantiates the synthesis engine using pluggable interface contracts.

func (*SecureDataEngine) CompileSecureData ¶

func (sde *SecureDataEngine) CompileSecureData(script string, tx DataInvocation) (string, error)

type Text ¶

type Text string

func (Text) Eval ¶

func (t Text) Eval() string

type TokenProfile ¶

type TokenProfile string

const (
	ProfileStructuredLog TokenProfile = "LOG"
	ProfileGrant         TokenProfile = "GRANT"
	ProfileProofOfPoss   TokenProfile = "POP"
)

Source Files ¶

View all Source files

engine.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL