14 — Applied Cryptography in the Koder Stack
Concrete cryptographic choices of the Koder Stack: TLS, identity (Koder ID), kzip, key management, deployment on EVEO, and product-specific considerations.
This file is living — update it when relevant architectural decisions change.
1. Overview
The Koder Stack serves two imperatives by design:
- Self-hosted first (
policies/self-hosted-first.kmd): no third-party SaaS for crypto-critical paths when a Koder or auditable OSS alternative exists. - Multi-tenant by default (
policies/multi-tenant-by-default.kmd): every schemaAPI carrieskoder_user_idfrom commit 1; isolation via RLSkey-prefix.
Crypto-relevant components mapped:
| Component | Path | Function |
|---|---|---|
| Koder ID | services/foundation/id |
OAuth/OIDC provider; sole provider across the Stack |
| Koder Flow | flow.koder.dev |
Git hosting; uses TLS + SSH |
| Koder Jet | infra/net/jet |
Single web server (replaces Caddy/nginx) |
| servicesfoundationcerts | on s.khost1:9421 |
DNS-01 ACME via ClouDNS |
| servicesfoundationreporter | 7d event retention | Crypto retention policies |
| kzip | engines/sdk/kzip |
File encryption, recipient-mode keys |
| *ervices/crypto |