Engineered for Integrity.

A deep dive into the Prmana sequence of evidence. Built in Rust for memory safety, anchored in hardware for cryptographic certainty.

THE SEQUENCE OF EVIDENCE

User Node

Prmana Agent
+ TPM 2.0

Signed DPoP Proof

Target Server

sshd + PAM
+ FsAtomicStore

Verification

IdP

OIDC / Entra
JWKS Keys

Prmana performs a three-way cryptographic handshake, ensuring that the token presented matches the hardware that signed it.

Rust-Native

Written entirely in memory-safe Rust. We eliminate 70% of common vulnerabilities (buffer overflows, use-after-free) at the compiler level. No C-based TCB risk.

DPoP Binding

We implement RFC 9449 to provide sender-constraint. Access tokens are cryptographically tethered to the machine's hardware, rendering stolen tokens inert.

Kernel Atomicity

Our JTI/Nonce store uses O_CREAT | O_EXCL filesystem primitives. We leverage the Linux kernel's atomic guarantees to prevent multi-process replay attacks.

// Prmana Engine: Atomic Replay Check
match OpenOptions::new()
    .write(true)
    .create_new(true) // O_CREAT | O_EXCL
    .open(&jti_path) {
    Ok(_) => Ok(Evidence::Verified),
    Err(e) if e.kind() == ErrorKind::AlreadyExists => Err(Error::ReplayDetected),
    Err(e) => Err(Error::IntegrityFailure(e)),
}
View the Source