Security Isn't
an Add-On.
Every operation inside every WeftKit engine image carries a SecurityContext. Every connection is authenticated. Zero trust from the ground up — not bolted on later.
Defense-in-Depth Security
Multiple independent security controls work together. Compromise of one boundary does not bypass others.
SecurityContext
Identity and access context propagated through every component. Every operation inside every engine image carries an authenticated SecurityContext — there are no anonymous operations.
- Identity propagation across all components
- Capability-based permission model
- Audit trail attachment to every operation
- Immutable context — no privilege escalation
Authentication
SCRAM-SHA-256 for password-based authentication. mTLS for service-to-service communication. JWT for API tokens. Hardware security module (HSM) support for key storage.
- SCRAM-SHA-256 password hashing
- mTLS for service-to-service auth
- JWT token validation
- HSM integration for key custody
Authorization (RBAC)
Role-based access control inside every engine image and across the Pool Manager image. Per-database-type authorization. Fine-grained table/collection/key-space permissions with deny-by-default.
- Role hierarchy with inheritance
- Per-resource fine-grained permissions
- Row-level security (Relational)
- Deny-by-default posture
Encryption
AES-256-GCM with per-page nonces for data at rest. Envelope encryption enables O(1) key rotation. TLS 1.3 with ECDHE cipher suites for all network communication.
- AES-256-GCM per-page encryption
- Envelope encryption + key rotation
- TLS 1.3 mandatory on all transports
- Perfect forward secrecy (ECDHE)
Per-Page Encryption with O(1) Key Rotation
Every database page is encrypted with AES-256-GCM using a unique nonce. Master key encryption wraps per-page data encryption keys (DEKs) — enabling key rotation without re-encrypting the entire database.
TLS 1.3 Mandatory. No Exceptions.
All network communication — Standalone server, Pool Manager, Discovery registry, Persistence sync — requires TLS 1.3. Certificate pinning and mTLS available for zero-trust service meshes.
Protection Against Common Threats
Built-in protection for every query language and API surface exposed by WeftKit.
SQL Injection
Parameterized queries enforced at API boundary. No raw string concatenation in query APIs.
NoSQL Injection
Typed query builders for Document/Graph. Operator allowlist prevents arbitrary code execution.
Path Traversal
All file paths canonicalized and jail-rooted before I/O. FileStore uses virtual path layer.
Privilege Escalation
SecurityContext is immutable after construction. No runtime permission grants.
Replay Attacks
TLS session tickets with forward secrecy. Auth tokens have bounded validity windows.
Side-Channel Leaks
Constant-time comparison for secrets. No timing-dependent auth code paths.
Built-In Compliance Helpers
Not just compliant — WeftKit generates the audit evidence and reports you need for certification.
SOC 2 Type II
Tamper-evident audit logs, access controls, and change management documentation built in.
- Immutable audit trail
- Access review exports
- Change log retention
- Automated evidence collection
GDPR
Data residency controls, right-to-erasure helpers, and pseudonymization support at the storage layer.
- Data residency enforcement
- Right-to-erasure API
- Pseudonymization primitives
- Processing records
HIPAA
Encryption at rest and in transit, audit controls, and access monitoring for PHI protection.
- PHI field-level encryption
- Minimum necessary access
- Emergency access procedure
- BAA-ready configuration
Tamper-Evident Audit Logging
Every operation generates an immutable audit entry. Log entries are hash-chained in a Merkle tree, making retroactive modification detectable. Integrate with your SIEM in real-time via CDC streaming.
- Every read, write, and schema change logged
- Log entries are append-only with hash chaining
- Tamper detection via Merkle tree verification
- Configurable retention with compression
- Export to SIEM systems (JSON, CEF, LEEF)
- Real-time streaming via CDC integration