Skrifheim is a Rust world database for signed, versioned, policy-bound facts, branchable worlds, causal provenance, tamper-evident storage, and security-aware query planning.
Built for causal provenance, tamper-evident history, strict release gates, and rootless containers.
skrifheim is a world database.
The 1.0 target is a serious production-ready causal world-state database for applications that need signed, versioned, policy-bound facts; branchable worlds; provenance; classification-aware planning; tamper-evident storage; and CMS integration through typed facts, atomic releases, sanitized projections, and AI artifacts with provenance.
The project is currently at the v0.15.0 implementation stop, with pentest
passes resolved and GitHub verification passed. It is not a usable database
engine.
skrifheim is licensed under the European Union Public Licence 1.2.
| Capability | Status | Notes |
|---|---|---|
| Rust workspace | Active | Edition 2024, resolver 3, Rust stable 1.96.0 pinned. |
| Core crate split | Active | Focused crates for core types, facts, worlds, policy, crypto envelopes, storage metadata, query planning, and CLI orchestration. |
no_std core policy |
Active | Library crates under crates/ use #![no_std] and #![forbid(unsafe_code)]. |
| Dependency policy | Active | cargo deny policy denies wildcard external dependencies and unknown sources. |
| Security reporting | Active | Private-first vulnerability process in SECURITY.md. |
| Release notes | Active | release-notes/RELEASE_NOTES_0.15.0.md records scope, verification, and non-claims. |
| Capability | Status | Notes |
|---|---|---|
| Core IDs and labels | Scaffolded | Tenant, world, fact, entity, predicate, policy, transaction, actor, identity, source, timestamp, and classification types. |
| Fact builder and validation | Scaffolded | Facts carry valid time, evidence, confidence, policy, labels, causal links, and signature sets. |
| World overlays | Scaffolded | Worlds support deterministic metadata identity, parent pointers, depth, added facts, hidden facts, fork, diff, promotion preflight, rollback preflight, and conflict categories. |
| Authority-aware policy context | Scaffolded | Subject, device, and workload context constrain clearance, compartments, releasability, output classification, and aggregate proof metadata. |
| Query-result classification | Scaffolded | Allowed plans propagate output classification, sovereignty, PII-derived state, AI-processing eligibility, and confidence-threshold policy hooks. |
| Index and projection encryption policy | Scaffolded | Secondary, graph, search, vector, columnar, cache, and compaction projection surfaces require projection encryption domains and reject incompatible domain mixing. |
| Memory secrecy boundary | Scaffolded | Secret material enters crypto APIs through bounded non-clone redacted SecretBytes wrappers backed by admitted sanitization clear-on-drop storage. |
| Identity and audit events | Scaffolded | Typed identities, attestation evidence references, break-glass event shape, signed/encrypted audit-log metadata, and actor-attribution checks. |
| Crypto-agile envelopes | Scaffolded | Algorithm IDs, crypto epochs, bounded signature sets, key hierarchy metadata, key lifecycle metadata, encryption-domain metadata, and SHA-3/SHAKE digest policy skeletons exist without locking the database to one permanent algorithm. |
| Storage metadata | Scaffolded | Immutable segment headers validate magic, version, transaction range, and body length; WAL frame headers validate fixed append-only encrypted-frame metadata, non-zero CRC presence, expected-domain binding, and host-file append/read smoke coverage. |
| Query planning primitives | Scaffolded | Query requests become policy decision plans for early read, causality, simulation, and context intents. |
| Capability | Status | Notes |
|---|---|---|
| Local gate | Active | scripts/checks.sh runs formatting, shell syntax, doc links, release metadata, engineering policy, modularity, security policy, clippy, and tests. |
v0.15.0 release gate |
Active | scripts/release_0_15_gate.sh runs local checks, dependency policy, RustSec audit, CLI startup, and rootless Podman smoke. |
| Rootless Podman | Active | Containerfile builds and runs the current CLI in a non-root runtime image. |
| Pentest stop rule | Active | Every version has a clean implementation stop before tagging. Root PENTEST.md is temporary findings input and must be removed after resolution. |
| Modularity gate | Active | Non-generated Rust files over 500 lines fail the local gate. |
| Engineering gate | Active | Core libraries must stay no_std, forbid unsafe code, and avoid std imports. |
| Capability | Status | Target |
|---|---|---|
| WAL replay and recovery | Planned | v0.16.0. |
| Quantum-aware digest policy | Scaffolded | SHA-3/SHAKE digest-strength profiles and full-width world/content/manifest digest types before compact IDs become durable storage authority. |
| Immutable segment persistence | Planned | v0.17.0 through v0.20.0. |
| Strict serializable transactions | Planned | v0.21.0 through v0.23.0. |
| Native query parser and execution | Planned | v0.25.0 through v0.28.0. |
| Rebuildable projections | Planned | v0.29.0 through v0.32.0. |
| Crypto-agile manifest signatures | Planned | v0.33.0. |
| Audit proofs and backup/restore | Planned | v0.34.0 through v0.36.0. |
| CMS release primitives | Planned | v0.39.0 through v0.40.0. |
| AI artifact provenance | Planned | v0.41.0. |
| Distinctive security and truth features | Planned | Causal blast-radius invalidation, signed declassification proofs, AI derivation cones, and propagated confidence with mandatory access control are now tracked in the implementation and version plans. |
| Local-first worlds and mission capsules | Planned | v0.42.0 through v0.43.0. |
| Fuzz/property baseline, operations, and hardening | Planned | v0.44.0 through v0.51.0. |
| Standalone legal/compliance passports and placement foundations | Planned | v0.52.0 through v0.55.0. |
| Production release candidate | Planned | v0.56.0. |
| Hyve multi-cell cluster fabric | Planned | v1.1.0 and later. |
- Worlds instead of databases: production, draft, simulation, audit, user-local, and mission worlds are first-class branchable states.
- Facts instead of rows: canonical state is signed, versioned, timed, evidence-bound, and policy-bound.
- Security-aware planning: classification, compartments, releasability, redaction, and rejection are database planning concerns, not application-side decoration.
- Compliance-aware direction: future instance, data, and operation passports let standalone reads, CMS access, exports, indexing, backup, AI processing, placement, replication, and failover respect signed law and compliance packs.
- Tamper-evident direction: WAL, immutable segments, manifests, signatures, and audit proofs are planned as the storage foundation.
- AI is not truth: AI output is planned as derived artifact state with provenance and review, never silent authoritative mutation.
- Truth has blast radius: causal links, declassification proofs, AI derivation cones, and propagated confidence are planned as first-class security controls.
- Strict engineering posture: core crates are
no_std, unsafe code is forbidden, external crates require admission, and release stops require pentest review.
Build the workspace:
cargo build --workspaceRun the current CLI:
cargo run -p skrifheimExpected output:
skrifheim 0.15.0
Run the normal local checks:
scripts/checks.shRun the v0.15.0 release gate:
scripts/release_0_15_gate.shSkip the rootless Podman part only when the host cannot run containers:
SKRIFHEIM_SKIP_PODMAN=1 scripts/release_0_15_gate.shBuild and run the local container:
scripts/podman_smoke.shThe current container only starts the CLI and prints build identity. Durable database operation begins in later storage and runtime milestones.
| Crate | Purpose |
|---|---|
skrifheim |
Main crate and CLI entry point. |
skrifheim-core |
IDs, timestamps, labels, values, and shared errors. |
skrifheim-fact |
Signed policy-bound fact model. |
skrifheim-world |
World branch and overlay model. |
skrifheim-policy |
Classification and planner decision model. |
skrifheim-crypto |
Crypto-agile algorithm and signature envelopes. |
skrifheim-audit |
Identity, attestation evidence reference, and audit-event metadata. |
skrifheim-storage |
Storage format and tamper-evident metadata model. |
skrifheim-query |
Query planning primitives. |
xtask |
Project automation helper. |
skrifheim is designed around military-security constraints:
- no god-mode database assumption,
- no unsafe code in core crates,
- no external dependencies without admission,
- no
stdin core library crates, - no AI output as authoritative truth,
- no release tag without a clean stop and pentest resolution,
- no legal/compliance-sensitive access, derivation, backup, export, or movement without signed policy inputs and audit proof,
- no root
PENTEST.mdcommitted.
See Engineering Policy, Unsafe Policy, Threat Model, and Security Controls.
Each version has a clean implementation stop. When the version criteria are
done, the maintainer runs a pentest for the exact commit and writes temporary
findings to root PENTEST.md. Findings are fixed, PENTEST.md is removed, and
the gates are rerun before any permanent pentest report or tag.
Tags are created only when explicitly requested.