A file format that "eats its own dog food."
K9 is a Self-Validating Component (SVC) standard built on the must-just-nickel triad.
Unlike passive file formats that rely on external applications to interpret them, a .k9 file
carries its own validation contracts and deployment logic.
-
Encodes validation, deployment, and recovery workflows in a single contract file.
-
Enforces tiered safety levels (Kennel/Yard/Hunt) before execution.
-
Provides signing and verification to support trusted execution.
-
Stronger default sandboxing for Hunt components.
-
Cleaner CI integration for validation and policy checks.
-
Broader templates for common infrastructure and automation tasks.
| File | Security Level | Description |
|---|---|---|
|
Kennel |
Pure data component. Safe to open anywhere. |
|
Yard |
Nickel evaluation only. No I/O side effects. |
|
Hunt |
Full triad execution. Requires cryptographic handshake. |
|
Hunt |
Multi-service container deployment with rolling deploy, rollback, cerro-torre image verification, and 3 environments (dev/staging/prod). |
|
N/A (documentation) |
Honest comparison of k9-svc/a2ml vs alternatives (Helm, Kustomize, Terraform, etc.). 5 DEPRECATE and 10 KEEP verdicts with decision flowchart. |
The project Containerfile uses Chainguard wolfi-base (not Debian). Build and run with Podman:
podman build -t k9-svc .
podman run --rm k9-svcSee GUIDE.adoc for the full container deployment walkthrough, including security level selection guidance.
|
Important
|
A |
# Clone the repo
git clone https://github.com/hyperpolymath/standards.git
# Note: K9-SVC is located in standards/k9-svc
cd k9-svc
# Check environment
./must status
# Ensure dependencies (Nickel + Just)
./must ensure
# Install k9-sign (memory-safe Rust signing tool)
cd k9-sign && ./install.sh --user && cd ..
# Generate signing keys
k9-sign keygen primary
k9-sign trust ~/.config/k9/keys/primary.pub
# Register MIME type
./must run register-user
# Validate everything
./must run dogfood
# Security tools
./k9-scan examples/hello.k9 # Static analysis
./must verify examples/hello.k9 # Signature verification
./must --dry-run run examples/hello.k9 # Preview mode| Layer | Component | Function |
|---|---|---|
Must |
Environment Shim |
Detects OS/architecture, ensures Nickel and Just are available |
Just |
Orchestration |
Task runner that executes build, validate, deploy recipes |
Nickel |
Validation Engine |
Typed configuration language that enforces contracts |
K9 implements tiered execution to prevent abuse:
'Kennel
|
Pure data. No execution. Safe to open anywhere. |
'Yard
|
Nickel evaluation only. No I/O side effects. |
'Hunt
|
Full triad execution. Requires cryptographic handshake. |
K9 takes security seriously. Self-executing components require careful design and implementation.
For Users:
-
Before using K9: Read Security Best Practices
-
Common questions: See Security FAQ
-
Report vulnerabilities: See Security Policy
For Decision Makers:
-
Executive summary: Security for Decision Makers
-
Implementation timeline: Security Roadmap
-
Technical analysis: Solutions vs Mitigations
Current Security Posture:
-
Kennel/Yard components: Production-ready (data-only, no execution risks)
-
Hunt components: Development use only (requires Tier 1-3 hardening)
-
Target: 95% risk elimination after Tier 1-3 implementation (6-12 months)
Key Protections:
-
Ed25519 digital signatures for Hunt components (k9-sign)
-
Nickel contract validation at runtime
-
Three-tier security model (Kennel/Yard/Hunt isolation)
-
Root user refusal (--allow-root escape hatch)
-
Static analysis (k9-scan with 8 security checks)
-
Dry-run preview mode
-
Memory-safe Rust signing tool (eliminates injection/corruption)
-
Planned: HSM key storage, mandatory sandboxing, formal verification
Security Tools:
-
k9-sign- Memory-safe Ed25519 signing (Rust, 15 tests, 756KB) -
k9-scan- Static security analysis (8 checks for malware patterns) -
must --dry-run- Preview actions before execution -
must verify- Signature verification -
Root refusal by default
| Attribute | Value |
|---|---|
Magic Number |
|
MIME Type |
|
Extensions |
|
k9-svc/
├── must # Environment shim (POSIX shell)
├── justfile # Orchestration recipes
├── pedigree.ncl # Core schema (The Brain)
├── register.ncl # MIME registration logic
├── Containerfile # Chainguard wolfi-base container image
├── README.adoc # This file
├── SPEC.adoc # Full specification / whitepaper
├── GUIDE.adoc # Comprehensive user guide (incl. container deployment)
└── examples/
├── hello.k9 # Kennel-level example (pure data)
├── config.k9.ncl # Yard-level example (Nickel evaluation)
├── deploy.k9.ncl # Hunt-level example (full triad)
├── container-deploy.k9.ncl # Hunt-level multi-service container deployment
└── NOT-a-good-fit.adoc # Deprecation analysis: k9-svc vs alternativesThe "dogfooding" principle: a format should be able to validate and deploy itself.
Traditional formats separate data from logic. This creates:
-
Bit rot: Data survives, but the tools to interpret it die
-
Platform lock-in: Files only work with specific applications
-
Silent corruption: Invalid data isn’t detected until runtime failure
K9 solves this by embedding validation contracts (Nickel) and deployment recipes (Just) directly in the component. If the file can’t "eat its own config," it refuses to run.