reference
QUICK REFERENCE
Canonical policies, reference sheets, migration matrices, and source-of-truth documentation.
Context Rail
Tags and Themes
On This Page
Mutant Security Quick Reference
What is protected
Mutant now ships with layered anti-tamper and hardening controls for the signed artifact, runtime, and risky builtins.
Core controls
- Signed artifact verification
- Signer pinning is enforced in secure mode when
--signer-authis enabled. - Trusted signer key source is
runtime setting(or local bootstrap fallback if unset). - Compatibility mode verifies embedded signature validity only.
- Payload confidentiality
- Bytecode is protected with AES-GCM plus offset-aware stream masking.
- Password-based builds use Argon2id derivation.
- Runtime integrity
- VM integrity checks run periodically, with seeded jitter and sweep probes.
- Tamper detection triggers policy-driven response and telemetry.
- Anti-debugging
- Pre-decode and pre-execution debugger checks run in the launcher path.
- Platform-specific heuristics are used under
security/antidebug_*.
- Builtin capability gating
- Risky builtin groups are default-denied unless explicitly allowed.
- Groups:
command_exec,filesystem,network.
- Release attestation
- Standalone release artifacts use a V3 trailer.
- Trailer fields include payload checksum, canary, build profile code, and provenance hash.
- Remote process scan policy gate
- Optional remote scan manager can run in
off|observe|enforcemode. - Enforce mode blocks only on critical verdicts.
Protection profiles
Set runtime setting to control default posture.
minimalDefaults tamper response to
warn.Defaults risky builtin groups to allow-all unless explicitly constrained.
standardDefault when unset or invalid.
Keeps secure mode fail-closed and compat mode warn-by-default.
Risky builtins default to deny unless explicitly allowed.
paranoidDefaults tamper response to
terminate.Risky builtins default to deny unless explicitly allowed.
Explicit runtime configuration settings still win:
runtime settingruntime setting
Useful runtime configuration settings
runtime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime settingruntime setting
Artifact format
Signed .mu envelope:
MUT |-| ENCODED_DATA |-| SIGNATURE_HEX |-| PUBLIC_KEY_HEX |-| ANT
Standalone release trailer V3:
MUTANTBC | version | payload_len | payload_sha256 | canary | profile_code | provenance_sha256
Operational defaults
- Secure mode: terminate on tamper unless explicitly overridden.
- Compatibility mode: warn on tamper unless explicitly overridden.
- Dev mode: compatibility posture with local password fallback.
- New release builds emit V3 trailers.
Quick checks
- Unexpected builtins blocked? Check
runtime settingandruntime setting. - Signature failure? Check trusted key pinning and release signer chain.
- Integrity failure? Treat as active tamper.
- Release artifact mismatch? Check trailer profile code and provenance hash.