14 — Applied Cryptography in the Koder Stack

Concrete cryptographic choices of the Koder Stack: TLS, identity (Koder ID), kzip, key management, deployment on EVEO, and product-specific considerations.

This file is living — update it when relevant architectural decisions change.


1. Overview

The Koder Stack serves two imperatives by design:

  • Self-hosted first (policies/self-hosted-first.kmd): no third-party SaaS for crypto-critical paths when a Koder or auditable OSS alternative exists.
  • Multi-tenant by default (policies/multi-tenant-by-default.kmd): every schemaAPI carries koder_user_id from commit 1; isolation via RLSkey-prefix.

Crypto-relevant components mapped:

Component Path Function
Koder ID services/foundation/id OAuth/OIDC provider; sole provider across the Stack
Koder Flow flow.koder.dev Git hosting; uses TLS + SSH
Koder Jet infra/net/jet Single web server (replaces Caddy/nginx)
servicesfoundationcerts on s.khost1:9421 DNS-01 ACME via ClouDNS
servicesfoundationreporter 7d event retention Crypto retention policies
kzip engines/sdk/kzip File encryption, recipient-mode keys
*ervices/crypto