The Velvet Suite is a modular security architecture designed for environments where deterministic trust, local authority, and the elimination of persistent secrets are required. Each module operates independently and does not rely on external services, centralized signing infrastructure, or network connectivity. All cryptographic state is derived at runtime, kept only in memory, and destroyed on expiration.
The execution control system enforces trust by content hash. It uses a kernel level interception mechanism to monitor every file execution event and prevents any binary from running unless its hash has been explicitly authorized. Trust is based entirely on the file's contents. Names, locations, permissions, and metadata are not used. If the file's SHA 256 hash is not present in the local trust database, execution is denied before it begins. This prevents substitution attacks, injection, spoofed binaries, and environmental manipulation by enforcing identity through the data itself.
Trust management is handled through tools that allow administrators to populate, inspect, and maintain the local trust database. A scanning utility walks specified directories, hashes executable files, and records them. Manual tools allow precise modification and review, both through a command line interface and a graphical interface that operates without background services. These utilities allow the system to remain deterministic and fully auditable even in recovery or disconnected environments.
Additional components support encrypted file transfer, secure messaging, password storage, and interprocess communication. These systems perform all encryption on the client using secrets that are generated in memory and rotated frequently. Synchronization is supported through local relays that store only encrypted blobs without metadata or identifying information. No keys or credentials are written to disk and no long term secrets persist after execution.
The execution control system enforces trust by content hash. It uses a kernel level interception mechanism to monitor every file execution event and prevents any binary from running unless its hash has been explicitly authorized. Trust is based entirely on the file's contents. Names, locations, permissions, and metadata are not used. If the file's SHA 256 hash is not present in the local trust database, execution is denied before it begins. This prevents substitution attacks, injection, spoofed binaries, and environmental manipulation by enforcing identity through the data itself.
Trust management is handled through tools that allow administrators to populate, inspect, and maintain the local trust database. A scanning utility walks specified directories, hashes executable files, and records them. Manual tools allow precise modification and review, both through a command line interface and a graphical interface that operates without background services. These utilities allow the system to remain deterministic and fully auditable even in recovery or disconnected environments.
Additional components support encrypted file transfer, secure messaging, password storage, and interprocess communication. These systems perform all encryption on the client using secrets that are generated in memory and rotated frequently. Synchronization is supported through local relays that store only encrypted blobs without metadata or identifying information. No keys or credentials are written to disk and no long term secrets persist after execution.