Security Model

UltraSushiTron is designed with security as the primary constraint. Every architectural decision prioritizes secret protection over convenience.

Threat Model

ThreatMitigation
Compromised AI model exfiltrates secrets Zero-knowledge core: AI never sees plaintext secrets. Values injected at execution time, wiped immediately.
Network attacker intercepts secrets Secrets agent has no network access. Communication via Unix socket only. E2E encryption for mobile.
Malicious plugin accesses secret store WASM sandbox blocks all network and secret store access. Capability-enforced isolation.
Replay attack on approval flow Nonce-consuming authentication. Each challenge nonce valid for 30 seconds, single use only.
Unauthorized secret access Every access requires explicit user approval via mobile app with full context display.
Tampered audit logs SHA-256 hash-chained entries with Ed25519 signatures. Any modification breaks the chain.
Vault encryption key theft Key derived via Argon2id from user passphrase. Never stored on disk.
Man-in-the-middle on mobile X25519 ECDH key exchange + AES-256-GCM payload encryption. TLS required in production.

Cryptography

Ed25519 β€” Digital Signatures

  • Key size: 32-byte private, 32-byte public
  • Signature size: 64 bytes
  • Used for: WebSocket challenge-response auth, audit log signing
  • Provides authentication and non-repudiation

X25519 β€” Key Exchange

  • Algorithm: Elliptic Curve Diffie-Hellman (ECDH) on Curve25519
  • Used for: Deriving shared secrets between mobile app and secrets agent
  • Ephemeral keys per session for forward secrecy

AES-256-GCM β€” Authenticated Encryption

  • Key size: 256 bits (32 bytes)
  • Nonce size: 96 bits (12 bytes)
  • Used for: Vault encryption at rest, E2E payload encryption
  • GCM mode provides both confidentiality and integrity

Argon2id β€” Key Derivation

  • Algorithm: Argon2id (hybrid of Argon2i and Argon2d)
  • Used for: Deriving vault encryption key from user passphrase
  • Memory-hard to resist GPU/ASIC attacks
  • Key is derived at startup and held only in memory

SHA-256 β€” Hash Chains

  • Used for: Audit log integrity chain
  • Each entry includes the hash of the previous entry
  • Any tampering breaks the chain and is detectable

WASM Plugin Sandbox

Third-party plugins execute in a WebAssembly sandbox with capability-based security:

Blocked Capabilities

  • Network β€” no HTTP requests, no socket access
  • UserSecret β€” no access to the secret store
  • Filesystem β€” no access outside the designated workspace
  • Process β€” no spawning child processes

Allowed Capabilities

  • Pure computation and string processing
  • Structured output (JSON, text)
  • Memory allocation within WASM linear memory limits

Plugins must declare their required capabilities at install time. Users approve the capability set before a plugin can run.

Audit Logs

Every security-relevant action is recorded in a tamper-proof audit log:

Recorded Events

  • STORE β€” secret added to vault
  • ACCESS β€” secret access requested
  • APPROVE β€” user approved access
  • DENY β€” user denied access (or timeout)
  • DELETE β€” secret removed from vault

Integrity Guarantees

  1. Each entry is signed with Ed25519 by the secrets agent
  2. Each entry includes the SHA-256 hash of the previous entry
  3. Verification: walk the chain, verify each signature and hash link
  4. Any insertion, deletion, or modification breaks the chain
Audit entry structure json 
{
  "entry_id": "a1b2c3d4",
  "action": "APPROVE",
  "secret_name": "github_token",
  "actor": "user:mobile_app",
  "timestamp": 1706140800,
  "previous_hash": "e3b0c44298fc1c14...",
  "signature": "base64_ed25519_sig..."
}

Design Principles

Fail Secure

All defaults are restrictive. Timeouts result in denial. Missing configuration blocks access. The system never grants access by default.

Defense in Depth

Multiple independent layers must be compromised for a secret to leak: the AI core, the Unix socket, the secrets agent, the encryption key, and the user approval flow.

Minimal Trust

Each component has the minimum privileges needed. The AI core cannot read the vault directly. Plugins cannot access the network. The secrets agent cannot reach the internet.

Transparency

Every action is logged with full context. Users see exactly why a secret is being requested and which tool will use it.