Kodachi logo KODACHIv9.0.1 · 2026

TECHNICAL WHITEPAPER

Linux Kodachi: A Defense-in-Depth Operating System and Privacy Infrastructure for Network Anonymity and Forensic Resistance

Technical Whitepaper (Public Edition)

Subject: Architecture, security model, and engineering of the complete Linux Kodachi platform: the operating system, the server fleet, and the online service infrastructure
Series: Kodachi 9 ("Queen"), version 9.8.4 (build 319)
Base distribution: Debian 13 ("Trixie"), 64-bit (BIOS + UEFI + Secure Boot)
Author / maintainer: Warith Al Maawali (digi77.com)
Document date: 2026-06-28
Audience: System architects, security researchers, privacy engineers, and technically literate users

Abstract#

Linux Kodachi is not a single program but a complete privacy platform. It spans three tiers: a hardened, Debian-based operating system; a server fleet of VPN, proxy, and authentication nodes on takedown-resistant hosting; and an online service layer at kodachi.cloud that provides verification tools, license management, and software distribution. The design goal is that an ordinary user can reach a strong, verifiable anonymity posture in minutes rather than hours, can verify that the software they run is the software that was published, and can collapse their posture to a safe state instantly under duress.

This paper documents the platform as built, across all three tiers. Tier one (the operating system) is a Rust backend of roughly seventeen single-purpose service binaries plus an eight-binary AI workspace, driven by a single Tauri and Svelte desktop dashboard, shipped as a live ISO in Terminal, Desktop (XFCE), and Minimal editions with an extensive hardening stack (hardened_malloc, tirdad, kloak, AppArmor, USBGuard, a DNSCrypt-only DNS architecture, and over forty kernel sysctl hardening directives). Tier two (the server fleet) is provisioned by twenty-seven Bash scripts across five phases and distributes single-use, session-encrypted VPN configuration "cards" from elastic worker nodes to a master node. Tier three (the online platform) hosts a public verification toolkit (IP, DNS, Tor, fingerprint, domain, and freshness checks), a customer license portal, an access-controlled admin command center, and an in-house downloads platform with live telemetry.

The paper presents Kodachi's threat model and design principles, deep-dives every layer, analyzes the cryptographic and authentication machinery that binds a client to the fleet, documents the end-to-end signing and integrity chain, and closes with a security analysis, a comparison with Tails, Whonix, and Qubes OS, a candid statement of limitations, and a roadmap. The central thesis is that privacy tooling fails most often not because its cryptography is weak but because its operational surface is hard to use correctly and impossible to verify. Kodachi's answer is defense in depth plus operability across the whole stack: every privacy control is a signed, single-purpose, JSON-emitting binary; every binary is verifiable against a published manifest; every dangerous action has a graduated, reversible counterpart; and the same discipline that governs the client extends to the fleet and the cloud services behind it.


1. Introduction and Motivation#

1.1 The problem#

Network privacy on the modern internet is not a single control but a system property. A user who runs a VPN but leaks DNS is not private. A user who routes traffic through Tor but reuses a stable MAC address on a hostile local network is not anonymous. A user who achieves perfect network anonymity but leaves recoverable artifacts in RAM, swap, and browser storage is not forensically safe. Privacy fails at the seams between tools, and those seams are exactly where non-expert users cannot see.

Three structural problems recur across the privacy-tooling landscape:

  1. Assembly burden. Strong anonymity usually requires correctly composing a VPN, Tor, an encrypted DNS resolver, a firewall kill switch, MAC randomization, and anti-forensic storage handling. Each component has its own configuration language and failure modes. Misconfiguration is silent and the cost of a mistake is deanonymization.

  2. Verification gap. Even a user who installs the right tools generally cannot answer the question "is the binary I am about to run the binary the project published, and has it been tampered with?" Without an end-to-end signing and integrity chain, the trust placed in privacy software is faith, not evidence.

  3. No graceful failure. Privacy tools tend to be binary: connected or not, on or off. Real adversarial situations are graduated. A user who detects that something is wrong needs a response that matches the threat, from "block new connections but keep my session" up to "wipe RAM, destroy keys, and power off," without having to improvise under stress.

A fourth problem is structural to the service, not the client: a privacy distribution that depends on third-party VPN providers inherits their logging policies, their jurisdictions, and their willingness to fold under legal pressure. To control that, Kodachi runs its own infrastructure.

1.2 Kodachi's response#

Kodachi treats anonymity as an engineered, observable, and reversible system property, end to end. Its response rests on four commitments:

1.3 Who Kodachi is for#

Kodachi is built for privacy-conscious individuals who need anonymous internet access without becoming network engineers; for security researchers and penetration testers who need a disposable, hardened, instrumented base; for journalists, activists, and others operating in high-risk environments; for government, defense, law enforcement, and intelligence teams, and for critical-infrastructure operators (telecom and regulatory authorities, power and utility networks, hospital networks, and financial-market infrastructure) for whom network isolation and operational security are non-negotiable requirements rather than preferences; and for anyone who needs forensic-resistant computing where the goal is to leave as little recoverable trace as possible.

1.4 How this document is organized#

After the threat model (section 2) and design principles (section 3), the paper is organized in three parts that mirror the platform's three tiers:

The cross-cutting analysis (sections 17 to 22) covers emergency response, a security analysis against the threat model, a comparison with related work, limitations, future directions, and the conclusion, followed by appendices.


2. Threat Model#

A privacy system is only meaningful against a stated adversary. Kodachi is designed against the following adversaries and goals, and explicitly not against others.

2.1 Adversaries Kodachi defends against#

Adversary Capability Kodachi countermeasure
Network observer (local) Passive monitoring on the local link (cafe Wi-Fi, hostile LAN), ARP/DHCP visibility MAC randomization, hostname randomization, firewall kill switch, encrypted DNS, no plaintext DNS leakage, IPv6 disabled by default
Network observer (ISP / on-path) Sees all traffic to and from the client IP; can log destinations Mandatory encrypted tunnel (VPN/Tor/proxy), DNS forced through tunnel, traffic-obfuscation protocols (Shadowsocks, V2Ray, Xray-Reality, Hysteria2)
Censor / nation-state filter Active blocking of known VPN/Tor signatures, deep packet inspection Pluggable obfuscation transports, Tor bridges, protocols engineered to mimic HTTPS (Xray-Trojan) or resist fingerprinting (VLESS-Reality), Mieru for strong national firewalls, an elastic fleet on takedown-resistant hosting
Destination correlation Linking a user's identity across sessions or to a real-world identity Per-session single-use VPS card assignment, Tor exit-node geographic control, surveillance-alliance exclusion (Five/Nine/Fourteen Eyes), multi-instance Tor circuit isolation
Opportunistic local forensics Physical access after shutdown, recovering data from disk, swap, or cold RAM RAM wipe on shutdown (cold-boot defense), swap disable/encrypt, browser-data wipe, secure log deletion, DoD 5220.22-M and Gutmann-style overwrite methods, optional LUKS full-disk encryption with a nuke password
Supply-chain tampering of Kodachi itself Modifying a binary between build and execution RSA-4096 detached signatures per binary, published per-binary BLAKE3 manifest, runtime signature self-verification, signed ISO
Software-level attacker Command injection, path traversal, memory-disclosure attempts against the local services Command whitelisting, dangerous-character filtering, dynamic path detection (no hardcoded paths), Rust memory safety, hardened_malloc, zeroize of sensitive memory, constant-time comparisons
Infrastructure legal pressure Attempting to take down the routing infrastructure through legal channels All worker nodes on DMCA-resistant hosting, elastic fleet (no single fixed node count), single-use session-bound cards that limit what any one node retains

2.2 What Kodachi does not claim to defend against#

Honesty about scope is itself a security feature. Kodachi does not claim protection against:

2.3 Trust assumptions#


3. Design Principles#

Kodachi's engineering is governed by hard rules enforced across the codebase. These are the load-bearing invariants that make the security claims credible.

3.1 Single-purpose, composable services#

Each privacy capability is its own binary with one job: dns-switch manages DNS, tor-switch manages Tor, routing-switch manages multi-protocol routing, integrity-check verifies signatures. Services compose through a shared CLI contract rather than through a monolith, which keeps each component auditable in isolation and keeps the blast radius of any one bug small.

3.2 Uniform CLI and JSON-first output#

Every service is built on a shared cli-core library and shares a common flag contract: -v/--version, -n/--info, -h/--help, and the JSON output family (--json, --json-pretty, --json-human) are available on every service, and most services additionally expose the cli-core global set (-e/--examples, -t/--timeout, and -o/--output-format, which forces text or json). All machine-readable output is JSON produced via serde_json. This uniformity is what lets a single dashboard drive over 150 commands across a dozen backends without bespoke parsing per service: the GUI tunnels almost every call through one generic executor and appends --json.

3.3 Embedded configuration, not external YAML#

Static configuration lives in each service's config.rs, compiled into the binary. External files are reserved for genuinely runtime-generated data (the DNS database, session tokens, profiles), always in JSON. A signed binary with embedded configuration cannot have its behavior silently altered by editing a side-car config file, and there is no YAML parser surface to attack.

3.4 No hardcoded paths or identities#

No service hardcodes a username or absolute path. Locations are detected dynamically through $HOME, $USER, getpwuid, and the XDG conventions. This prevents an attacker from predicting and pre-seeding paths, and it lets the same binary run correctly for any user.

3.5 Execution-folder containment#

Every service confines its file I/O to its own base directory (temp, cache, logs, output, config subfolders derived from base_dir.join(...)). Services do not write to /tmp or scatter artifacts. For a privacy tool this is essential: uncontrolled temporary files are forensic residue.

3.6 Memory safety and no panics in production#

The entire backend is Rust. Beyond the language's memory-safety guarantees, the codebase forbids .unwrap() and other panic-on-error patterns in production paths; errors are handled with ?, match, if let, and contextual fallbacks, enforced by zero-tolerance warning checks at build time. A panic in a privacy service is not merely a crash; it is a denial-of-service vector and potentially a fail-open condition.

3.7 Additive evolution and verifiable change tracking#

Existing code is preserved: new behavior is added alongside old rather than silently refactoring it away, which keeps the audit trail intact. Every change is recorded in an append-only delta log.

3.8 A consistent release profile#

Every Rust crate, services and dashboard alike, builds with the same release profile: opt-level = 3, lto = "thin", codegen-units = 1, panic = "abort", and strip = true. Full link-time optimization is deliberately avoided because it triggers out-of-memory hangs in the build environment; thin LTO is the tuned compromise.


Part I: The Operating System#

4. Architecture at a Glance#

Kodachi employs a three-tier, service-oriented architecture. Part I covers the client device; Parts II and III cover the fleet and the cloud.

4.1 The layers (client side)#

  1. GUI layer (Tauri 2 + Svelte 5 + Vite). The Kodachi Dashboard, a single desktop application presenting every capability through three layouts (Full, Lite, Circle) plus a Security Operations Center (SOC) page and the AutoShield first-boot hardening wizard.
  2. Orchestration layer (dashboard hooks). The dashboard/hooks/ directory: the compiled Rust binaries, their JSON configuration (DNS database, Tor config, session tokens, and 96 operation profiles), centralized logs, and result files. In production this lives at /opt/kodachi/dashboard/hooks/.
  3. Backend services layer (Rust). Roughly seventeen standalone service binaries, two shared libraries (cli-core, auth-shared), the logs-hook signed logging binary, and the kodachi-ai workspace (8 binaries plus 13 libraries), plus two bundled third-party binaries (oniux, tun2socks). Section 5 gives the precise accounting.

4.2 Control and data flow#

The control plane runs top-down: a user action invokes a Tauri command, which executes the relevant signed Rust binary with the right subcommand, captures its JSON on stdout, and renders the result. Every invocation is logged centrally through logs-hook.

The data plane is separate and runs through the routing stack: user traffic is captured by routing-switch and steered into the selected transport (a native VPN interface, a tun2socks shared tunnel for proxy protocols, or Tor via redsocks), with DNS forced through the same tunnel and continuously checked for leaks.

User action ─▶ Tauri Dashboard ─invoke()▶ Rust command handler ─exec▶ signed service binary
                                                                          │
                                                                          ├─ stdout JSON ─▶ Dashboard ─▶ User
                                                                          └─ audit ─▶ logs-hook

User traffic ─▶ routing-switch ─▶ {VPN tun0/wg0 | tun2socks(localhost:300xx) | Tor via redsocks} ─▶ exit ─▶ Internet
                                          │
                                          └─ dns-switch (encrypted, in-tunnel) ─▶ dns-leak (continuous verification)

5. The Rust Backend and Third-Party Components#

All Rust services follow the patterns in section 3: embedded configuration, JSON-first output, dynamic path detection, a uniform CLI, no .unwrap(), and the shared release profile.

5.1 The complete project inventory and how to count it#

Kodachi 9 comprises 26 Kodachi-authored binaries plus 2 bundled third-party binaries, for 28 signed release binaries in total. Because several different but valid counts circulate, this paper states the full reconciliation explicitly:

In addition there are 2 shared libraries (cli-core, auth-shared) and the kodachi-ai workspace's 13 internal libraries, which are not standalone binaries. Separately from the signed-release count, the dashboard's executor enforces an invocation allow-list of 27 permitted hook-binary names; that list is not identical to the 26 authored binaries (it excludes the dashboard, which cannot invoke itself, and it includes the third-party oniux plus the oniux-launcher script wrapper that sets up Linux namespaces before handing off). The top-level release hook directory ships oniux; the launcher exists in the hooks scripts/livebuild install paths. Anything not on the list cannot be invoked. Wherever this paper says "the services," it means the 17 standalone Kodachi service binaries unless stated otherwise.

5.2 Shared foundations#

5.3 Security services#

5.4 Network services#

5.5 Infrastructure services#

5.6 The Kodachi AI workspace#

kodachi-ai is a Rust workspace providing a natural-language command interface. It comprises eight binaries (ai-cmd, ai-trainer, ai-learner, ai-admin, ai-gateway, ai-discovery, ai-scheduler, ai-monitor, whose crate directories carry longer kodachi- names but whose shipped binaries use the short forms) and thirteen internal libraries spanning core inference, an NLP engine, a learning engine, a command registry, a SQLite data layer, voice and vector operations, and gateway logic. It runs models locally through two inference paths: the bundled essential models (an intent classifier and the all-MiniLM-L6-v2 embedding model with their tokenizers) are ONNX models run through the ONNX Runtime and ship in the binary pack, while larger conversational models are distributed in GGUF format, downloaded after installation, and run through a separate llama.cpp-compatible runtime. Keeping the assistant local-first is a security decision: an AI assistant for a privacy OS that phoned home would be self-defeating. The engine is tiered for cost and accuracy, escalating from a near-instant keyword/TF-IDF match, to the bundled ONNX intent classifier and semantic model, to the local GGUF conversational model, and only optionally to an external model if the user explicitly configures one. A dedicated gateway classifies every AI-invokable command into passive, active, and dangerous tiers, applies per-agent rate limiting and an audit trail, and requires a short-lived approval ticket before any dangerous operation runs, so an AI agent cannot silently perform destructive actions.

5.7 Third-party components#

Kodachi bundles two third-party binaries that are signed at release alongside the Kodachi-authored ones:

Several further third-party components are used but ship as ordinary system packages rather than signed Kodachi binaries: the Tor daemon itself, HAProxy (Tor load balancing), redsocks (Tor transparent proxying), and dnscrypt-proxy (encrypted DNS). The proxy server binaries (V2Ray, Xray, Hysteria2, Mieru) and the Pi-hole installer ship in the offline package cache (section 9) for no-internet installation, but are not part of the signed release manifest.

5.8 Retired projects#

Three earlier AI and desktop workspaces (kodachi-claw, zero-claw, and zeroclaw-desktop) were retired on 2026-05-18 and moved to a rust-archive/ tree. They are no longer built, signed, or shipped. The formerly standalone AutoShield hardening application was merged into the main dashboard on 2026-06-01, so there is now a single GUI application rather than two.

6. The Desktop Dashboard#

The Kodachi Dashboard is the single interface to the entire client stack, built on Tauri 2, Svelte 5, SvelteKit, and Vite. As of the 2026-06-01 consolidation it is the only GUI application. Its frontend uses a custom token-based CSS theme rather than a utility framework. The shipped binary is roughly 25 MB because the Svelte frontend is embedded; a binary near 23.5 MB is a tell-tale sign of an incorrect dev-mode build that would try to serve a local dev URL instead of the embedded UI.

6.1 Layouts and the SOC page#

The dashboard ships three interchangeable layouts that all drive the same backend services and share the same settings, session, and notification state; the user picks one at the welcome screen and can switch at any time. They differ in how much they show on screen and how much memory they keep resident, so the choice is about the operator's needs and the machine's resources, not about feature lock-in. A capability removed from a smaller layout's surface is hidden, not disabled: it is still reachable through the command library or the CLI.

Layout Window Surface Memory profile Best for
Full 1800x1000 The complete tabbed sidebar: every page, sub-page, and the System Monitor group All system data retained Power users, researchers, and anyone configuring or auditing the system in depth
Lite 1400x980 A compact flat-tab sidebar of about seventeen everyday pages with an output panel Heavy system-info cleared, logs/output kept Day-to-day routine use on normal hardware
Circle 820x820 A minimal radial ring of core toggles (auth, MAC, hostname, timezone, DNS, VPN, Tor) plus recovery actions and info modals Most aggressive memory savings, heavy data and logs cleared Small screens, low-resource machines, lock-screen / at-a-glance status, and quick one-tap operations

In short: Full is the everything-visible control center, Lite is the trimmed everyday driver, and Circle is the minimal at-a-glance ring. The same security score, status, and command dispatch sit behind all three, so switching layout never changes what Kodachi can do, only how much of it is on screen and how much RAM the GUI holds.

The SOC page is a live security-monitoring view backed by the kodachi-soc service. It renders a neural-map visualization of the host's security posture, grouping telemetry into themed clusters (network into TCP, UDP, and link; threats into rootkit, persistence, integrity, and hardening) so dense signal does not overlap into illegibility. Its refresh interval is user-selectable and defaults to two minutes, conservatively, so the monitor itself does not become a CPU burden on low-power machines.

6.2 The pages and their controls#

The Full layout organizes roughly forty pages into collapsible sidebar groups; the Lite layout exposes a compact subset of about seventeen as flat tabs, and the Circle layout reduces the same capabilities to a radial set of toggles. The groups below describe the user-facing pages and what each one drives. Every page is a thin front end over one or more of the backend services described earlier (section 5), so the controls listed are surfaced from those binaries rather than reimplemented in the GUI.

Overview. A central monitoring hub showing the live security score (0 to 100), the current network identity (IP, geolocation, ISP), a per-module health grid, and a world-map view of the active exit. The score is a weighted sum across categories (system security, privacy and anonymity, network, authentication, device, advanced privacy, and data protection) with an adaptive denominator: checks that do not apply to the current environment drop out of the maximum rather than counting as failures, so both a live ISO and an installed system can legitimately reach 100 percent. It is read-only apart from a refresh toggle and click-to-copy.

Essentials. The everyday privacy controls, grouped for one-click use:

Advanced. The same capabilities exposed at full granularity, one page per backend service: Favorites (saved commands), Authentication and the Auth Card (session and credential view), Routing, Tor Switch, DNS Switch, Health Control, Workflow Manager, IP Fetch, Online Info, System Tools, and the AI Assistant. Each page drives its namesake service directly with the service's full command set.

System Monitor. A read-only observability group of seven sub-pages: Resources (CPU, memory, disk with history), Processes (a sortable grid with signal controls), Network (connections and per-interface bandwidth), Firewall (nftables and iptables rules), Startup (auto-start services and boot order), Logs (a filterable system-log viewer), and a Full-only Terminal Tools page that launches TUI monitors such as htop and iftop.

Standing surfaces (footer). Health (the issue-first health dashboard), the SOC page (section 6.1), the Notification Center, Settings, About, and the Help Center. The Settings page has four tabs: Appearance (theme, layout, auto-start, sound), Auto Command Runner (scheduled persistent tasks), Security (password and TOTP protection, auto-lock, threat-response level, recovery codes, an audit log, emergency hotkeys, and the visibility toggle for the destroy control), and Backup and Restore (encrypted restic backups with a target selector and verify/restore). The Help Center is a searchable index of every page and includes a step-by-step routing-configuration wizard.

Guarded controls. A lock screen (when protection is enabled) unlocks with password, TOTP, or recovery code under a progressive lockout, and a clearly-marked destroy control is hidden unless explicitly enabled in Settings, with a configurable confirmation style. As in AutoShield, these destructive actions are deliberately gated, never one accidental click away.

6.3 The command-dispatch model#

A defining architectural choice is that the Svelte components are deliberately thin. Almost every backend interaction tunnels through a single generic Tauri executor in services.rs (execute_service_command / execute_binary_command): the front end names a service (a hook binary) and a subcommand with flags, the executor validates the binary against the 27-name invocation allow-list, resolves its path through a fallback chain (environment variable, then the production /opt/kodachi/dashboard/hooks, then the development tree), builds the actual command line, appends --json, runs the binary (with sudo -n when privileged), and returns its output. There are around twenty commands_*.rs handler modules (ai, autoshield, backup, command_runner, destroy, dns, emergency, guard, health, killswitch, library, logs, monitoring, protection, routing, services, soc, startup, terminal, tor), but the heavy lifting funnels through that one path. This is what makes the dashboard maintainable: adding a capability is mostly a matter of exposing an existing binary subcommand, not writing new IPC plumbing.

A drag-and-drop command queue lets users compose sequences with sequential or parallel execution, real-time status indicators, and four output formats (Text, JSON, JSON Pretty, and a human-readable JSON rendering). A centralized Notification Center unifies event and standing notifications with thresholds, muting, snooze, and grouping. Other surfaces include an embedded terminal, a Mobile manager for per-protocol mobile app configuration, a backup and restore tab, and a connectivity troubleshooter.

6.4 AutoShield#

AutoShield is the guided first-boot hardening wizard. It can be armed so that, on next boot, if at least one action is enabled and the terms have been accepted, the welcome countdown pauses and the system auto-runs the selected hardening steps. Its control grid is grouped and collapsible across eight categories (identity, connectivity, DNS, Tor, hardening, hardware, maintenance, and profiles), exposing roughly thirty controls: VPN-protocol selection, DNS modes, torrify variants, identity masking (hostname, MAC, timezone), hardening levels, hardware toggles (Bluetooth, Wi-Fi, webcam, microphone, USB), RAM wipe, auto-updates, the tirdad and kloak modules, cold-boot defense, IPv6 control, and screen-lock. The destructive verbs are excluded from the GUI by design: there is no panic, nuke, paranoid-mode, or kill-network button in AutoShield; destructive actions live only behind the deliberate, graduated emergency controls. Settings persist atomically (mode 0600, with an optimistic-lock revision counter) to a JSON file in the hooks config directory. The Terminal edition has its own separate login-time welcome script under the same AutoShield brand.

7. Authentication and the Client-to-Fleet Trust Model#

Kodachi binds a client to its VPN fleet through a challenge-response protocol implemented in the PHP authentication system on the master node and the online-auth binary on the client. The goals are: confirm liveness and a valid license, bind the session to a specific device, resist replay and brute force, and hand the client a single-use, session-encrypted VPN configuration.

7.1 The handshake#

Phase 1 (Challenge):
  Client (online-auth) ──POST [challenge endpoint] {hardware_id}──▶ Master
  Master: generate a 64-char challenge from 32 cryptographically random bytes
          generate CSRF token, check blocked-user list, store challenge + timestamp
  Master ──{challenge, csrf_token}──▶ Client

Phase 2 (Solve & Validate):
  Client: apply a fixed, deterministic transform to the challenge to derive the solution
  Client ──POST [validate endpoint] {solution, hardware_id, csrf_token, client_version}──▶ Master
  Master: validate JSON, verify hardware_id format, check CSRF, check rate limit,
          verify client-version compatibility, validate solution against stored challenge
  On success:
          invalidate any existing session for the same hardware_id
          create a new hardware-bound session
          assign a VPS card based on the user's tier
          encrypt the card/API key under the session token
  Master ──{session_token, user_group, card_available, api_key}──▶ Client

Phase 3 (Maintenance, when keep-alive is enabled):
  Client local checker: every 5 minutes, verify session state
  Client heartbeat sender: every 15 minutes
  Client ──POST [session endpoint] {heartbeat, session_token, hardware_id}──▶ Master
  Master: verify session + hardware binding, extend expiration

Phase 4 (Authenticated requests):
  Client ──POST [session-check endpoint] {session_token, hardware_id}──▶ Master ──{valid}──▶ Client

The exact server endpoint paths and the precise challenge-to-solution transform are intentionally omitted from this public edition. They add no defensive value when disclosed: the challenge is a public, single-use value with no client secret in it, so the transform is a liveness and anti-replay check, not the credential. Real entitlement rests on license-key validation and hardware-ID binding over the certificate-pinned TLS channel, plus the single-active-session rule.

7.2 Security parameters#

Parameter Value Purpose
Challenge length 64 characters (from 32 random bytes) Cryptographic entropy
Challenge validity 5 minutes Replay resistance
Session: initial 2 hours Limit exposure window
Session: heartbeat extension 8 hours per heartbeat; validate/check actions extend by 2 hours Keep active sessions alive
Session: maximum lifetime 24 hours Hard ceiling
CSRF token expiry 1 hour CSRF resistance
Handshake rate limit 20 attempts, then a 10-minute lockout Brute-force resistance
Transport channel cert-pinned HTTPS / TLS Channel confidentiality and server authenticity
Payload and at-rest encryption AES-256-GCM, ChaCha20-Poly1305 Application-layer and auth-cache confidentiality
Device binding hardware-ID hash Tie session to device

The handshake rate limit is keyed on the hashed hardware ID, with a ceiling of twenty attempts before a ten-minute lockout (the ceiling was deliberately raised from a stricter default to tolerate retry cascades through Tor and VPN). A separate, stricter throttle (10 attempts per IP per 15 minutes, 5 per key, with a one-hour block) governs the distinct license-activation endpoint (section 15), not this handshake; the two should not be conflated. The client-to-master channel runs over certificate-pinned HTTPS, so the AES-256-GCM and ChaCha20-Poly1305 ciphers above are the application-payload and local auth-cache encryption rather than the wire transport.

The hardware binding is central: a stolen session token is useless without the matching device hash, and only one active session is permitted per device, so a successful authentication elsewhere immediately invalidates the original. The device identifier is a privacy-preserving one-way hash computed locally; raw hardware details never leave the machine, which is what lets device binding work without the server learning anything about the user's hardware.

A note on the challenge construction: the reverse-and-hash step provides liveness and replay protection within the five-minute window. The entitlement decision itself rests on license-key validation and hardware-ID binding carried over the certificate-pinned TLS channel, together with the single-active-session rule. The handshake is slated to move to an HMAC or signature-based construction in a future revision.

7.3 Server-side field encryption#

Sensitive request metadata is encrypted at rest on the server side using public-key cryptography. The server holds only the public key, so it can encrypt incoming data but cannot read it back, which limits what a compromise of stored data can reveal.

8. Routing, Tunneling, and DNS#

8.1 The twelve protocols#

Kodachi's routing-switch supports twelve routing and tunneling protocols, organized by how they attach to the network stack.

Protocol Type Default port Attachment Primary use
OpenVPN VPN UDP (operationally mutable) native tun0 General privacy, corporate-style VPN
WireGuard VPN UDP (operationally mutable) native wg0 High-performance, mobile
Tor Anonymity 9050 (client-local) redsocks (iptables NAT) Maximum anonymity
Dante SOCKS5 operationally mutable tun2socks Application-level proxy
Shadowsocks Proxy operationally mutable tun2socks Censorship bypass
V2Ray (VMess) Tunnel operationally mutable tun2socks Advanced obfuscation
Xray-VLESS Tunnel operationally mutable tun2socks Fast, lightweight
Xray-VLESS-Reality Tunnel operationally mutable tun2socks Advanced censorship resistance
Xray-Trojan Tunnel operationally mutable tun2socks HTTPS mimicry
Xray-VMess Tunnel operationally mutable tun2socks V2Ray compatibility
Mita / Mieru Tunnel dynamically assigned tun2socks Strong national-firewall bypass
Hysteria2 UDP operationally mutable tun2socks High-latency / lossy networks

Native VPNs own their own kernel interfaces. Tor is attached through redsocks and iptables redirection. Every proxy-style protocol is attached through a shared tun2socks tunnel, each mapped to its own distinct localhost port range. Because the tun2socks protocols share one routing interface, two of them cannot be layered simultaneously; a native VPN, however, can be layered with Tor (for example WireGuard or OpenVPN first, then Tor forced on top). Mita is Kodachi's integration layer over the upstream open-source Mieru protocol, engineered specifically to resist strong national-firewall fingerprinting.

A note on ports: the server-side listening ports for every transport are operationally mutable and are rotated in production in response to ISP-level and censor-level filtering, which is why this paper does not publish the live port numbers. The architectural contract is the protocol set and the attachment model, not any specific port; the only fixed value shown is the standard client-local Tor SOCKS port, which is not remotely reachable. Clients discover the current ports from their signed configuration card, not from a fixed table.

8.2 Routing and DNS modes#

The default routing mode is Direct, which installs the tunnel route as the preferred default route and keeps the original route only as a high-metric recovery path in the current tun2socks code. A Metric mode keeps the original route as an intentional lower-cost fallback for resilience at the cost of a potential leak. Direct remains the strongest default, but the kill-switch guarantee comes from the surrounding leak checks and health-control response, not from the absence of any backup route in the kernel route table.

DNS handling has four modes: auto (DNS flows naturally through the tunnel, the safe default), hybrid (the VPN server's DNS bypasses the tunnel), strict (all DNS is forced through the tunnel), and system (DNS bypasses the tunnel entirely, a leak risk). Direct routing with auto or strict DNS gives the strongest posture, and dns-leak runs continuously to confirm it is holding.

8.3 Tor exit control#

tor-switch exposes fine-grained exit-node control: single country, random, random-worldwide, by continent, and by traffic-volume class, each with a matching exclusion control. Of particular note are the surveillance-alliance selectors, which let a user either target or, more usefully, exclude the Five Eyes (US, GB, CA, AU, NZ), Nine Eyes (adding DK, FR, NL, NO), or Fourteen Eyes (adding DE, BE, IT, ES, SE) jurisdictions. Multi-instance management with per-instance and global timer-based IP rotation rounds out the surface, and load balancing across instances supports round-robin, weighted, and consistent-hashing (client-affinity) modes, with an additional HAProxy application-level layer.

8.4 Encrypted DNS#

DNS can run through DNSCrypt (local or remote, IPv4 and IPv6), through Pi-hole layered on DNSCrypt for combined ad-blocking and encryption, or over Tor for anonymous resolution. The reputable provider set includes Cloudflare, Quad9, AdGuard, OpenDNS, NextDNS, and CleanBrowsing, with IPv4 and IPv6 endpoints, and the runtime database extends well beyond these. The operating system ships configured for DNSCrypt-only resolution (section 9.2), so even a misconfiguration cannot silently fall back to a cleartext resolver.

9. The Live System: Editions, Packages, Tuning, and Hardening#

Kodachi ships as a live bootable ISO that can run amnesically from USB or DVD, be installed to disk with encrypted partitions, or run in a virtual machine. This section documents what is actually in the image.

9.1 Editions and package sets#

The build system is overlay-based: a shared Common base (around 46 explicit packages: live-boot, NetworkManager, OpenSSH, git, build-essential, restic, and core utilities) feeds three distributable editions, with an ARM64 edition scaffolded but not yet shipping.

9.2 The hardening stack#

Kodachi layers multiple independent hardening mechanisms, several enabled by default:

9.3 Kernel and system tuning#

A single sysctl profile (/etc/sysctl.d/99-kodachi-hardening.conf, loaded last) applies over forty hardening directives drawn from the Kernel Self-Protection Project and CIS benchmarks. Highlights: kernel pointer and dmesg restriction (kptr_restrict=2, dmesg_restrict=1), disabled unprivileged BPF and restricted perf events, disabled kexec loading, the full set of protected-symlink/hardlink/fifo/regular filesystem protections, ptrace scoping (yama.ptrace_scope=1), a core-dump pattern that discards dumps to prevent information leaks, increased ASLR entropy (mmap_rnd_bits=32), and a network stack hardened with reverse-path filtering, disabled source routing and ICMP redirects, SYN cookies, and martian logging. IPv4 forwarding is intentionally enabled because VPN and Tor routing require it. For memory hygiene against cold-boot and use-after-free exposure, the hardened boot path can also enable init_on_free=1 so freed memory is zeroed.

At boot, a small, deliberate set of systemd units is enabled (Bluetooth conditional-disable, user-group setup, IPv6 link-local flush, encrypted-swap activation, Plymouth first-boot theming, the tirdad loader, and live-session cleanup). The service binaries themselves are on-demand CLI tools, not always-on daemons.

9.4 The build pipeline and offline cache#

Builds always go through a single wrapper script (build-iso.sh), never a bare lb build, because the wrapper synchronizes overlays into the build config, refreshes templates, and verifies boot-theme assets first. It offers graduated build modes from a fast cache-preserving build through a full production "purge" build that pulls from clean Debian mirrors. The image is not assembled from a frozen snapshot: live assets (Conky configuration, the XFCE theme, icons, fonts, and browser profile) are synchronized from the build host's running system on every build, which keeps the shipped desktop identical to the tested one.

The build runs a set of hook files in numeric order across phases (pre-bootstrap, package installation, system configuration, security finalization, cleanup, and a final binary-installation hook); the count is edition-dependent, around 49 for the Terminal edition and around 67 for the Desktop edition (the shared common hooks plus each edition's own). The final hook copies the prebuilt, signed Rust binaries from an offline cache into place and enables only the small set of core boot units. An offline package overlay bundles the proxy tools (V2Ray, Xray, Hysteria2, Mieru), dnscrypt-proxy, the Pi-hole installer, the precompiled Rust binary pack, and a set of cached external GUI applications for the desktop edition (LibreWolf as the default hardened browser, VeraCrypt, the Monero GUI, the Session messenger, OpenSnitch application firewall, and developer tools), so a freshly booted system can be fully provisioned with no internet access.

9.5 Versioning#

A note on versioning that frequently confuses observers: 9.0.1 is the architectural and licensing baseline, but the three product channels (binary pack, terminal ISO, desktop ISO) each carry an independently advancing nightly build stamp, so the live development stamp reads as a higher number (for example in the 9.8.x range) even though the licensed major version remains 9. The stamp advances under a weighted policy combining the three channels: a release's weighted points are the binary-pack build count at half weight plus the terminal-ISO and desktop-ISO build counts at full weight, with every five weighted points advancing the patch level, nine patches rolling into the next minor, and nine minors into the next major. A single 9.0.1-scheme license covers the entire 9.x.x series.

10. The Integrity, Signing, and Verification Chain#

The claim that a user can verify that the code they run is the code that was shipped rests on a concrete, end-to-end chain that spans the build host, the download server, and the running system.

10.1 Signing at build time#

Every Kodachi-authored binary is signed with an RSA-4096 key pair. The private key is held only by the maintainer and never ships; the public key ships everywhere. Each binary gets a detached OpenSSL signature (over a SHA-256 digest) plus a human-readable verification report (.sig.info) recording the SHA-256 hash, author, version, and timestamp. Twenty-eight release binaries are signed before packaging: the twenty-six Kodachi-authored binaries plus the two bundled third-party binaries. The ISO itself is signed with a detached signature by the same toolchain.

10.2 Verification at runtime and at download#

10.3 Two hash algorithms, two purposes#

Kodachi uses BLAKE3 for the per-binary integrity manifests produced by the integrity-check tool, including the published generated_hashes-v9.0.1.json, chosen for speed. SHA-256 is used only for the .sig.info reports and the digest over which the RSA signature is computed. BLAKE3 and SHA-256 both render as 64 hex characters, so the manifest superficially looks like SHA-256 but is not; running sha256sum against a file and comparing it to the manifest produces a guaranteed false "integrity mismatch." The correct verification uses b3sum (or the integrity-check tool itself) against the manifest, and OpenSSL over the SHA-256 digest against the signature. A separate plain SHA-256 sidecar of the distributed tarball is checked with sha256sum in the normal way.


Part II: The Server Infrastructure#

11. The VPS Fleet and Provisioning System#

Kodachi does not resell a third party's VPN; it runs its own elastic fleet, and that fleet is itself a hardened, scripted, reproducible system.

11.1 Topology and node roles#

There is always exactly one master node; the worker tier scales on demand, currently a master plus a handful of workers, with the production worker count deliberately not published as part of the contract. The worker nodes are treated as disposable infrastructure: beyond routine log wiping, the entire fleet is periodically torn down and rebuilt from clean images rather than maintained in place, so no routing node is long-lived and none carries state across rebuild cycles. The architecture defines four node roles.

Node role Responsibility Key services
Master Central management and authentication gateway Apache/PHP, HAProxy front, DNSCrypt server, card-distribution API, DNS API, session management
Worker VPN/proxy card generation and tunnel termination OpenVPN, WireGuard, Shadowsocks, V2Ray, Xray, Hysteria2, Dante, Mita/Mieru, Tor
Hosting Web infrastructure Apache, SSL, management panels
All nodes (foundation) Universal hardening fail2ban, AIDE, DNSCrypt, Tailscale mesh, CSF firewall

All worker nodes run on DMCA-resistant hosting so the routing layer survives legal pressure that would shut down conventional providers. The nodes are connected to each other over a Tailscale mesh for management. Tiers map by hostname prefix: premium-tier hosts to the VIP card pool, free-tier to the normal pool, and dedicated-tier to the custom pool.

11.2 Provisioning: twenty-seven scripts in five phases#

A node is brought up by twenty-seven Bash scripts (around nineteen mandatory plus a set of optional ones) executed in five phases, configured from shared environment files (ports.env for central port allocation, server-config.env for node settings) and shared function libraries.

  1. Foundation and hardening (vps-initial-setup.sh, csf_setup.sh, node-tuner.sh, dnscrypt_setup.sh, tailscale_setup.sh): BBR TCP congestion control, a one-million file-descriptor limit, a non-standard SSH port, fail2ban, AIDE, kernel sysctl hardening, unattended security upgrades, the ConfigServer firewall, the encrypted DNS resolver, and the Tailscale management mesh. The encrypted resolver and the mesh are foundational, all-node services auto-invoked by the initial setup script rather than VPN-tier services.
  2. Web and PKI (apache-routine-setup-master.sh, apache-ipv6-setup.sh): Apache 2.4+, the Browscap browser-classification database, the PKI key store, IPv6 dual-stack, and the security headers and CSP for the web tier.
  3. VPN services (openvpn-setup.sh, wireguard-setup.sh, tor_setup.sh): the encrypted tunnels and the Tor relay/bridge with redsocks and HAProxy.
  4. Proxy services (shadowsocks_setup.sh, v2ray_setup.sh, xray_setup.sh, dante_setup.sh, hysteria2_setup.sh, mita_setup.sh): the obfuscation and SOCKS layers, each on its allocated port from ports.env.
  5. Synchronization, cards, and health (lsyncd_setup.sh, card-generator.sh, vps-services-health-check.sh): card synchronization to the master, cron-driven card generation, and continuous service health monitoring.

Optional scripts cover DNS-API management (Porkbun), the Virtualmin control panel and its security hardening, Let's Encrypt automation, Netdata and ntopng monitoring, a dedicated DDoS detection and auto-ban script, and a DNSCrypt-plus-BIND integration.

11.3 The card lifecycle#

A "card" is a JSON document containing complete, ready-to-use configuration for every service on a node: OpenVPN and WireGuard configs with node-specific endpoints, Dante and Shadowsocks credentials, Xray, V2Ray, Hysteria2, Mita, and Tor service details, and DNS settings, alongside node metadata. The lifecycle is designed to minimize exposure:

  1. A worker generates plain-JSON cards on a configurable cron cycle (a few times per hour). Each worker independently maintains a healthy per-node card buffer for its tier with a low-water refill policy and capacity-skip logic, so an exhausted pool is never force-allocated. Because the buffer is per node, the tier pool scales with the number of active workers rather than thinning as nodes are added.
  2. Cards are pushed to the master by lsyncd, which watches the card directory with inotify (no polling) and synchronizes over SSH as a restricted syncuser on a non-standard port with key-only authentication.
  3. On authentication, the master selects a card from the tier-appropriate pool (uniformly at random, under a global assignment lock so concurrent requests cannot double-allocate), encrypts it into an AES-256 ZIP keyed by the session token, delivers it over HTTPS, and deletes the card from the pool. Cards are single-use.
  4. The client decrypts the card in memory using its session token and never persists the key.

A note on the encryption boundary: the AES-256 ZIP protects the card in transit and against casual exposure, and the single-use plus short-session-lifetime design keeps the exposure window small. Card assignment has been audited and confirmed uniform across nodes.

11.4 Apache and PKI#

The master's web tier is Apache 2.4+ with PHP, fronted by HAProxy. A PKI key store outside the web root holds the RSA-4096 keys used for field-level encryption (section 7.3), the live session and CSRF data, the license records and their audit chain, and the admin data. Any web deploy to the master must be followed by a post-upload routine that fixes ownership, rebuilds the access-control rules, and gracefully reloads Apache; skipping it produces 403 errors. Sensitive directories carry obfuscated names and restrictive permissions, and direct access to library and config PHP files is denied.


Part III: The Online Platform (kodachi.cloud)#

The public web platform is both a marketing and verification front end and the operational control plane for licensing and distribution. It runs on the master node's Apache and PHP stack, with private data held outside the web root.

12. The Public Verification Toolkit#

Kodachi publishes a suite of browser-accessible tools so that a user can independently verify their privacy posture rather than take the OS's word for it. These are the "online tools" the platform offers.

Supporting these are a Tor-exit detector, a tightly whitelisted and rate-limited CORS proxy (GET-only, restricted to Kodachi and partner domains), an aggregated security-news feed from around a dozen reputable sources, and a release-metadata manifest that drives the downloads page and the wiki changelog.

All of these are read-only verification surfaces. They share a multi-tiered caching strategy, CORS locked to Kodachi domains, and the same encryption discipline for any sensitive data they touch.

13. The Customer License Portal#

The customer-facing license portal is a self-service web application reached through an obfuscated, link-only directory (its URL is revealed on the post-purchase page and in the support FAQ rather than published broadly). It uses a key-based credential model with no accounts and no sign-up: the customer never creates a username, email login, or profile. The license key itself is the only credential, pasted directly (up to twenty keys at once), so a customer can check their license and nodes while remaining anonymous, the portal never asks who they are.

After validation, a customer sees a license dashboard: a tier banner ("you are in the Premium group, N nodes available"), a per-key info card (tier, price paid, purchase date, devices used and allowed, and an expiry gauge that shows days remaining or a version ceiling colored by urgency), with any sibling seats from a multi-key order shown prefix-masked. A "Your Nodes" panel lists the group-scoped VPN nodes with country and flag, IP, and a per-tier available-card count, plus per-node service up/down status loaded asynchronously after first paint. A transaction-history table shows one row per order, and a downloads section links to the installer and release notes. A release function lets a customer free all device activations for a key (with a type-to-confirm guard) so the license can be moved to another machine.

The portal mirrors the master's card-assignment routing exactly (the same license-group, custom-VPS, and pool mapping logic that get_card.php uses), so what a customer sees matches what they would actually be assigned. It is built for privacy and abuse-resistance: it never returns activation IPs, masks sibling keys, validates an HMAC checksum before any disk lookup (the real brute-force barrier), suppresses error output that could leak file paths, and enforces a shared per-IP lockout (ten failed lookups trigger a one-hour lock that covers both the info and status endpoints). Its theme matches the neon-green-on-black house style.

14. The Admin Command Center#

The administrative dashboard is a single-page application behind an obfuscated, access-controlled directory protected by HTTP Basic Auth plus per-admin TOTP two-factor authentication, with login tracking. It is the operational control plane for the whole licensing and fleet-routing system, backed by a dedicated set of internal API endpoints.

Its surfaces include: an overview of active licenses, users, sessions, and node health; full license-key management (generate in bulk with tier, device limit, and expiry basis; list with time-left gauges; modify, revoke, delete, reactivate, and transfer); user management (blocked, VIP, and custom lists, batch reassignment, and pool assignment); VPS and pool management (add, modify, remove, and status nodes, set per-node card limits, view card usage, and define the pool-to-hostname mappings that enforce tier isolation); payment configuration for both payment gateways (sandbox toggles, credentials, and price overrides); a version-rules engine (client-version allow and block ranges); an admin messaging system that can target all clients, a specific hardware key, or a client-version range (among other target types) and is delivered to clients through the license-status endpoint they poll after authentication; branded short-link management; and an audit log of admin actions and logins. The admin interface shares the neon-green-on-black house color of the rest of the platform and is distinguished from the customer portal by its layout and content rather than its palette; it carries its own CSP and no-index headers.

A standing operational rule governs the messaging system: because a broadcast target reaches every live user, testing is always done against a specific test hardware key, never a broadcast.

15. The Licensing and Payment Model#

Kodachi 9 uses an annual licensing model. Pricing is Premium at 99 USD per device per year (mapped to the VIP card pool) and Dedicated at 600 USD per device per year (mapped to the custom pool, sold by sales policy in quantities of roughly five to fifty devices, though the key generator itself permits any device count from one to ninety-nine); the free tier requires no license and uses the normal pool. A license key has the form of four random groups followed by a checksum group: the four random groups draw on a reduced alphabet that omits visually ambiguous characters, and the fifth group is a hexadecimal HMAC checksum derived from a server secret. Keys are stored as individually hashed JSON records in a private directory with an accompanying audit chain.

Annual keys are time-based: the key carries a 365-day validity that is stamped on first activation rather than at issuance, and the validity of a time-based key is governed by time rather than version, which lets one license cover the entire 9.x series and beyond. (A version-and-time key, by contrast, keeps a real version cap.) Activation runs through a defined sequence: rate-limit and format check, HMAC checksum before any disk lookup, hardware and company block checks, honeypot detection, status check, version-compatibility check, time-expiry check, and finally device-binding against the per-key device limit; a matching release endpoint frees a device binding so the license can be transferred. Payment flows through two gateways, and the key-minting paths for both, plus the admin-issued path, are kept in sync so they all issue the same annual key shape. Pricing is enforced consistently across the payment and admin paths so that issuance and billing cannot drift.

16. The Downloads Platform and Wiki#

Software distribution is in-house rather than delegated to a third-party host. The downloads page presents the three editions (Desktop ISO, Terminal ISO, and the binaries tarball) plus a Trends tab, all as accessible tabs. A dependency-free canvas chart renders download trends (daily, weekly, monthly, and yearly, with peak markers and tooltips) from a time-series endpoint, alongside by-country and by-OS breakdowns. Every download flows through a gating script that validates the file, tags it with geolocation (IP to country via a bounded cache with an API fallback) and OS (from the user agent), and atomically updates a persistent JSON catalog of counts, time series, and geo breakdowns. The actual ISO and binary files sit behind access-controlled directories that enforce the gate. The release metadata (the version manifest, the per-binary hash manifest, and the changelog) ships as an atomic three-file set, and the binary pack with its hash sidecars and public key lives under a dedicated downloads path.

A public MkDocs wiki documents the project: an overview and architecture, installation and per-edition guides, a binary-overview and per-binary CLI reference generated to JSON, a FAQ, a changelog rendered from the same release metadata with build-count charts, and a post-purchase landing page that reveals the customer portal link. The entire public platform follows one house theme (pure black, neon green, and the Orbitron typeface), with cache-busting version strings on assets so live changes take effect.


Cross-Cutting Concerns#

17. Emergency Response and Anti-Forensics#

This subsystem is what most distinguishes Kodachi from a conventional privacy bundle. It assumes things will go wrong and that the user needs a graduated, reversible, present-operator response.

17.1 The four-level response ladder#

Level Name Trigger Automatic actions
1 Suspicious activity Anomaly or unusual network pattern Alert and log
2 Confirmed threat Verified malicious activity or auth failure Soft panic: block new connections, preserve the session
3 System compromise Unauthorized access or integrity failure Medium panic: kill all connections, wipe browser data, randomize MAC
4 Critical breach Root compromise or encryption failure Hard panic: wipe RAM, destroy keys, immediate shutdown

17.2 Panic modes and the kill switch#

The three panic modes form a clear escalation. Soft blocks new connections but preserves the existing session, allowing immediate recovery. Medium kills all network, wipes browser data, and randomizes the MAC, requiring re-authentication to recover. Hard adds RAM wiping, encryption-key destruction, and a forced shutdown, requiring a cold boot from clean media. Independently, the kill switch has three explicit states (arm, activate, disarm), so the instant-disconnect capability can be staged ready without firing and stood down without consequence. Separating "arm" from "activate" is a usability-as-safety decision: the destructive capability is one deliberate step away, never one accidental click. The session helper binds these to anti-spoofed keyboard shortcuts (a configurable press-and-hold) so a present operator can trigger them without the GUI. For coercion scenarios, Kodachi also supports a LUKS "nuke" password that, when entered at the disk-unlock prompt instead of the real passphrase, destroys the LUKS key slots and renders the encrypted volume unrecoverable (a timestamped, separately-encrypted header backup is kept so the legitimate owner can restore deliberately), and a duress mode that presents a decoy screen rather than the real desktop.

17.3 Data-destruction standards#

Kodachi implements multiple overwrite methods matched to data sensitivity: a single zero pass for quick sanitization, configurable multi-pass random overwrites for general use (the shred-based tiers run one, three, or seven passes), the three-pass DoD 5220.22-M pattern (zeros, then ones, then random, with verification) for high-sensitivity data, and a simplified Gutmann-style multi-pass overwrite built in. The full thirty-five-pass classic Gutmann method is available through the optional nwipe integration rather than the built-in routine. RAM wiping defends against cold-boot attacks and can run automatically on shutdown; swap can be disabled or encrypted; browser data and logs can be securely deleted. Sensitivity levels map to defaults: session tokens get a single zero pass at session end, browser cache a random pass on medium panic, keys the DoD pattern on hard panic or logout, and full-drive multi-pass sanitization is always user-initiated and never automatic.

18. Security Analysis#

This section evaluates Kodachi against the threat model of section 2. The table is the scannable summary; the prose gives the reasoning and the residual risk for each adversary.

Adversary Primary mitigations Residual risk Confidence
Local network observer MAC/hostname randomization, encrypted DNS, tunnel-preferred (Direct) routing with continuous leak checks and a health-control kill switch, IPv6 disabled Local traffic timing and volume analysis; a tunnel is observable High
ISP / on-path observer Mandatory encrypted tunnel, in-tunnel DNS, obfuscation transports Obfuscation is an arms race; no transport is permanently undetectable Medium-High
Censor / nation-state filter Pluggable transports, Tor bridges, Mieru, elastic takedown-resistant fleet A censor blocking discovery/auth endpoints can deny bootstrap Medium
Destination correlation Single-use session-bound cards, hardware-bound sessions, Tor exit and alliance exclusion, circuit isolation Global passive end-to-end correlation (out of scope) Medium
Opportunistic post-shutdown forensics RAM wipe on shutdown, swap encryption, browser/log wipe, multi-pass overwrite, LUKS with nuke password Assumes orderly shutdown or present operator; a seized running machine is not covered High
Supply-chain tampering RSA-4096 signing, BLAKE3 manifest, runtime self-verification, signed ISO Trusts maintainer key custody and the first public-key fetch High
Software-level attacker (local) Rust memory safety, hardened_malloc, no-panic discipline, command whitelist, input filtering, zeroize, constant-time compare The PHP web tier is a larger, separate attack surface High (core) / Medium (web tier)
Infrastructure legal pressure DMCA-resistant hosting, elastic fleet, single-use cards Operational, not cryptographic; a determined legal/technical attack on bootstrap endpoints remains a risk Medium

Against the local network observer, Kodachi removes the cheapest deanonymizers (a stable MAC and hostname), disables IPv6 to eliminate a whole leak class, and ensures DNS never crosses the local link in clear text. Direct routing makes the tunnel path preferred and is paired with leak checks plus health-control kill-switch response. Residual risk: local timing and volume analysis is not addressed.

Against the ISP or on-path observer, all traffic is in a tunnel with DNS bound to it, and the obfuscation protocols raise the cost of identifying the traffic. Residual risk: obfuscation is an arms race.

Against the censor, pluggable transports, bridges, Mieru, and an elastic takedown-resistant fleet give multiple independent paths through a filter. Residual risk: a censor who blocks the discovery and authentication endpoints can deny bootstrap; mitigations there are operational (fleet elasticity, domain rotation).

Against correlation, single-use session-bound cards, hardware-bound sessions, exit control with alliance exclusion, and circuit isolation reduce linkability. Residual risk: a global passive adversary remains out of scope.

Against opportunistic forensics, RAM wipe, swap encryption, browser and log wiping, standardized overwrite methods, and LUKS with a nuke password leave little recoverable residue. Residual risk: these assume an orderly shutdown or a present operator.

Against supply-chain tampering, the RSA-4096 signing chain, the BLAKE3 manifest, and runtime self-verification detect a modified binary before it runs and a tampered download before it installs. Residual risk: the model trusts key custody and the first public-key fetch.

Against software-level attackers, Rust memory safety, the hardened allocator, the no-panic discipline, command whitelisting, input filtering, dynamic path detection, zeroize, and constant-time comparisons close the common local-attack classes. Residual risk: the PHP server tier is a larger, more conventional attack surface, defended in depth (rate limiting, CSRF tokens, field-level encryption, input validation, HMAC-before-lookup, TOTP on the admin tier) but distinct from the Rust core.

The overall picture is a platform that is strong and honest at the layers it claims, with clearly stated boundaries at the layers it does not. Defense in depth means the failure of any single layer degrades gracefully rather than collapsing the whole.

Tails is amnesic-by-default and routes everything through Tor, with an intentionally minimal and locked-down surface. Kodachi can also run amnesically from live media, so amnesia is not the dividing line. The real distinction is the anonymity model: Tails commits to one fixed Tor-only path, while Kodachi offers many transports beyond Tor (twelve routing protocols, an owned VPN fleet, bring-your-own configs) and a far larger operational surface for users who need to choose their anonymity tradeoff. The cost is a larger surface to use correctly; the benefit is adaptability to censored or Tor-hostile environments.

Whonix achieves strong anonymity through a two-VM split (a gateway that forces all traffic through Tor and a workstation that cannot learn its own IP), which is very robust against IP leaks. Kodachi takes a single-system, service-oriented approach: rather than isolating the network in a separate VM, it isolates capabilities into separate signed binaries and uses tunnel-preferred routing, continuous leak detection, and a health-control kill switch to enforce the no-leak property. Whonix's isolation is structurally stronger against accidental leaks; Kodachi's is lighter-weight, runs on bare metal as a live system, and integrates VPN and obfuscation that Whonix leaves to the user. Notably, Kodachi borrows hardening directly from the Whonix and Kicksecure lineage (tirdad, kloak, hardened_malloc).

Qubes OS pursues security by compartmentalization, isolating activities into separate virtualized domains. It is the strongest of the three against software compromise because a breach within one qube is contained to that qube's isolation domain, provided the Xen hypervisor and the GUI domain themselves remain uncompromised. Kodachi does not attempt VM-level compartmentalization; its threat model centers on network anonymity and forensic resistance rather than on containing arbitrary software compromise, and it explicitly cedes the "contain a root compromise" goal that Qubes is built to meet.

In short, Tails optimizes for amnesic Tor simplicity, Whonix for leak-proof Tor isolation, and Qubes for compromise containment, while Kodachi optimizes for operable, verifiable, multi-transport anonymity with graduated forensic resistance, backed by infrastructure it owns. Kodachi's most differentiating features (the owned takedown-resistant fleet with single-use session cards, the twelve-protocol obfuscation set, the end-to-end signing chain with runtime self-verification, the four-level graduated emergency ladder, and the public self-verification toolkit) are not the focus of any of the three.

20. Limitations and Known Gaps#

21. Future Directions#

Signed-baseline anomaly detection. The host SOC monitor's detection is evolving toward a signed known-good baseline of autostart and file-integrity state, diffed against the live system, so the question shifts from "is this an expected artifact" to the stronger "has this changed since the system was known good."

Stat-gated BLAKE3 file-integrity monitoring. Continuous monitoring that uses cheap filesystem metadata as a gate, computing the BLAKE3 hash only when metadata changes, so integrity monitoring can run continuously without the cost of rehashing an unchanged filesystem.

Stronger handshake construction. Binding the handshake response to a client-held secret through an HMAC or signature construction, so the handshake itself proves possession of a credential rather than relying on the surrounding controls.

Expanded public documentation. Continuing to broaden the published operator and recovery documentation alongside the architecture material in this paper.

Evolving the transport set and the ARM edition. Treating the obfuscation transport set as something to keep extending as censorship evolves, and finishing the scaffolded ARM64 edition.

22. Conclusion#

Linux Kodachi is an argument that privacy is an engineering and operability problem as much as a cryptography problem, and that the argument must hold across an entire platform rather than a single binary. Its cryptography is sound and conventional (RSA-4096 signing, AES-256-GCM and ChaCha20-Poly1305, BLAKE3 and SHA-256 integrity, RSA-OAEP field encryption, hardware-bound challenge-response over cert-pinned TLS), and it deliberately avoids inventing its own primitives. The distinguishing contribution is the composition across three tiers: a hardened operating system of signed, single-purpose, JSON-emitting Rust services driven by one consistent dashboard; an owned, scripted, takedown-resistant server fleet that hands out single-use, session-encrypted configuration; and an online platform that lets anyone verify their own privacy posture, manage their license, and obtain software through a chain they can check.

The platform is honest about its boundaries. It does not claim to defeat a global passive adversary, to survive compromised hardware, or to contain an arbitrary software breach the way a compartmentalized OS does. Within the envelope it claims, network anonymity, leak prevention, verifiable integrity, and forensic resistance for a present operator, it is a defense-in-depth system whose layers fail gracefully and whose controls are designed to be used correctly under stress. That combination of depth, ownership, and operability across the whole stack is Kodachi's reason to exist.


Appendix A: Complete Component Inventory#

Rust service binaries (17 standalone)#

Sizes below are the deployed, stripped production binaries (/opt/kodachi/dashboard/hooks/). The unstripped development builds in the source tree are substantially larger; the strip = true release profile is what produces these shipped sizes.

Binary Approx. shipped size Role
health-control 15 MB System health, emergency response, anti-forensics
routing-switch 9.6 MB Multi-protocol routing (12 protocols)
tor-switch 8.3 MB Tor management (60+ commands)
dns-switch 6.6 MB DNS control (1000+ servers, DNSCrypt, Pi-hole)
online-info-switch 6.3 MB Online information hub
dns-leak 5.4 MB DNS leak detection
online-auth 4.5 MB Challenge-response authentication
ip-fetch 4.5 MB IP geolocation, multi-provider fallback
workflow-manager 4.3 MB Batch automation from JSON templates
conky-status 4.1 MB Desktop widget data gateway (self-verifying)
integrity-check 3.7 MB Signature and hash verification (BLAKE3 + SHA-256)
kodachi-soc 3.6 MB Read-only host SOC, MITRE ATT&CK
deps-checker 2.9 MB Dependency verification
kodachi-session-helper 2.4 MB X11 emergency-shortcut daemon (anti-spoofing)
permission-guard 2.0 MB File-permission monitoring
global-launcher 2.0 MB Binary deployment with rollback
logs-hook 1.7 MB Centralized logging

Other Kodachi-authored binaries#

Shared libraries#

Bundled third-party binaries (signed at release)#

Counts#

17 services + 8 AI binaries + 1 dashboard = 26 Kodachi-authored; + 2 third-party = 28 signed binaries.

Appendix B: Cryptographic Standards#

Purpose Algorithm
Binary and ISO signing RSA-4096 over a SHA-256 digest (detached OpenSSL signatures)
Client-to-master transport cert-pinned HTTPS / TLS
Application payload and auth-cache encryption AES-256-GCM, ChaCha20-Poly1305
Session card encryption AES-256 (session-token-keyed ZIP)
Server field-level encryption RSA-4096 OAEP, hybrid with AES-256-GCM for large fields (public-key-only on server)
Per-binary integrity manifest BLAKE3 (generated_hashes-*.json, verify with b3sum)
Signature reports and signed digest SHA-256 (.sig.info, openssl dgst -sha256)
Memory hardening hardened_malloc (GrapheneOS), zeroize of sensitive buffers
License key checksum HMAC-SHA256 (server secret)
Comparisons constant-time equality

Appendix C: VPS Provisioning Scripts (by phase)#

Phase Representative scripts
1. Foundation and hardening vps-initial-setup.sh, csf_setup.sh, node-tuner.sh, dnscrypt_setup.sh, tailscale_setup.sh
2. Web and PKI apache-routine-setup-master.sh, apache-ipv6-setup.sh
3. VPN services openvpn-setup.sh, wireguard-setup.sh, tor_setup.sh
4. Proxy services shadowsocks_setup.sh, v2ray_setup.sh, xray_setup.sh, dante_setup.sh, hysteria2_setup.sh, mita_setup.sh
5. Sync, cards, health lsyncd_setup.sh, card-generator.sh, vps-services-health-check.sh
Optional Porkbun DNS API, Virtualmin + security, Let's Encrypt, Netdata, ntopng, DDoS auto-ban, DNSCrypt+BIND

Appendix D: Glossary#

Appendix E: References#

URLs are provided for verification; access date 2026-06-28.

  1. Aumasson, J-P., Neves, S., Wilcox-O'Hearn, Z., Winnerlein, C. "BLAKE3: one function, fast everywhere." https://github.com/BLAKE3-team/BLAKE3
  2. U.S. Department of Defense. "National Industrial Security Program Operating Manual (NISPOM), DoD 5220.22-M." (Media sanitization overwrite standard.)
  3. Gutmann, P. "Secure Deletion of Data from Magnetic and Solid-State Memory." 6th USENIX Security Symposium, 1996.
  4. MITRE Corporation. "MITRE ATT&CK." https://attack.mitre.org
  5. Dingledine, R., Mathewson, N., Syverson, P. "Tor: The Second-Generation Onion Router." 13th USENIX Security Symposium, 2004. https://www.torproject.org
  6. The Tor Project. "oniux: Linux namespace isolation for routing applications through Tor." https://gitlab.torproject.org/tpo/core/oniux
  7. Donenfeld, J. A. "WireGuard: Next Generation Kernel Network Tunnel." NDSS 2017. https://www.wireguard.com
  8. OpenVPN Inc. https://openvpn.net
  9. "Shadowsocks." https://shadowsocks.org
  10. "Project X (Xray-core): VLESS, VMess, Trojan, REALITY." https://github.com/XTLS/Xray-core
  11. "V2Ray / V2Fly." https://www.v2fly.org
  12. "Hysteria2." https://v2.hysteria.network
  13. "Mieru." https://github.com/enfein/mieru
  14. "tun2socks." https://github.com/xjasonlyu/tun2socks
  15. "DNSCrypt." https://dnscrypt.info
  16. "Pi-hole." https://pi-hole.net
  17. GrapheneOS. "hardened_malloc." https://github.com/GrapheneOS/hardened_malloc
  18. Whonix / Kicksecure. "tirdad, kloak, system hardening." https://www.whonix.org
  19. Microsoft. "ONNX Runtime." https://onnxruntime.ai
  20. "llama.cpp (GGUF model format)." https://github.com/ggml-org/llama.cpp
  21. The Tails Project. "Tails: The Amnesic Incognito Live System." https://tails.net
  22. The Qubes OS Project / Rutkowska, J., Wojtczuk, R. "Qubes OS Architecture." 2010. https://www.qubes-os.org
  23. Nakamoto, S. "Bitcoin: A Peer-to-Peer Electronic Cash System." 2008. (Referenced as a model of concise whitepaper structure.)
  24. The Calamares Project. "Calamares: distribution-independent installer framework." https://calamares.io
  25. ConfigServer. "CSF: ConfigServer Security & Firewall." https://configserver.com/cp/csf.html

This document describes the complete Kodachi platform as verified against the live repository and operational playbooks as of 2026-06-28. Port numbers, worker counts, and obfuscated directory names are operational details that change or are intentionally withheld; the architecture, security model, and verification chain are the stable contract.