# LockWire — full corpus > LockWire is secure-by-default, batteries-included security infrastructure for Rust: TLS with no warnings, PKI, passkeys, signed updates, and tamper-evident audit — wired correctly out of the box. Generated at build time from the content tree of https://lockwire.org — the markdown body of every page, concatenated. --- title: LockWire url: https://lockwire.org/ markdown-twin: https://lockwire.org/index.md --- # LockWire LockWire is secure-by-default, batteries-included security infrastructure for Rust: TLS with no warnings, PKI, passkeys, signed updates, and tamper-evident audit — wired correctly out of the box. --- title: Get started url: https://lockwire.org/start/ markdown-twin: https://lockwire.org/start/index.md --- # Get started LockWire's front door is the Easy Button: one dependency and one line that give a Rust application HTTPS with a real certificate chain — trusted on `localhost` and your LAN, auto-renewed, and revocation-checked on every use. No browser warnings, and no openssl incantations. ```rust let server = lockwire::serve(app) .https_easy_button() // trusted local CA, auto-renewal, revocation checked .await?; ``` The same pattern extends across the suite: passkey and OIDC login, signed updates, tamper-evident audit, and authenticated time each have a one-line secure default, with fail-loud guards that turn an insecure configuration into a build-time error rather than a production incident. ## Where things stand LockWire is in pre-release development, and this page grows into the full five-minute walkthrough — with CI-verified snippets — as the crates publish. The repositories go public as each tier reaches release; their canonical homes are `github.com/lockwire-org/lockwire` (the umbrella crate and CLI, whose getting-started guide this page will point at), `lockwire-sec`, `lockwire-ai`, and `lockwire-ssdl`. The crate names are already reserved on [crates.io](https://crates.io/crates/lockwire). --- title: Learn url: https://lockwire.org/learn/ markdown-twin: https://lockwire.org/learn/index.md --- # Learn The tutorials on this site form a ladder, not a pile. Each rung is a complete, runnable outcome in fifteen minutes or less: numbered steps, complete code blocks with nothing elided, and a "prove it" step you run yourself — curl, openssl, or the application — before the page asks you to believe anything. Every rung ends by naming the trap you just avoided and linking the [concept page](/concepts/) that explains it. The ladder climbs in this order: 1. Serve HTTPS with no warnings, on loopback and your LAN. 2. A desktop app calling remote services, with pinned, revocation-checked TLS. 3. Login and identity with passkeys and OIDC. 4. Secure mail handling. 5. Signed and over-the-air updates. 6. Airgapped operation: your own DNS, time, CA, and timestamping. The tutorials publish here together with the runnable demos they narrate, as each tier's repository goes public — the ladder mirrors the adoption ladder in the umbrella repository, so the site and the code never tell different stories. In the meantime, [Get started](/start/) shows the Easy Button that the first rung is built around. --- title: Concepts url: https://lockwire.org/concepts/ markdown-twin: https://lockwire.org/concepts/index.md --- # Concepts Where [Learn](/learn/) is imperative — do this, then this — Concepts is explanatory: timeless, diagram-led pages on why the secure defaults are shaped the way they are. Tutorials link into concepts; concepts never require a tutorial. The section opens with **the Traps series**: the ten shortcuts every codebase falls into, each titled as the symptom in the words a newcomer would use — "It works if I turn off certificate checking," "Your API key is in the binary" — with one diagram of the failure, one of the fix, and the two-line Easy Button that makes the trap impossible. The real vocabulary (revocation, pinning, attestation) arrives after the problem is solved, never as a prerequisite. [Trap #3 is previewed on the homepage](/). Alongside the traps sit explainers on certificate chains, revocation, and pinning; on attestation, from measured boot to continuous remote attestation; and on the essential-function doctrine — why communication is the thing being protected, and why a security control that silences your application is itself a denial of service. Every concept page leads with a diagram drawn in one consistent grammar: ink boxes are your components, hatched zones are attacker positions, and green is the defended path. Learn to read one and you can read them all. The concept pages publish alongside the tutorial ladder as the repositories go public. --- title: Reference url: https://lockwire.org/reference/ markdown-twin: https://lockwire.org/reference/index.md --- # Reference API reference lives on docs.rs, where it is generated from the code and cannot go stale. This section maps the crate landscape so you know which crate to open. The suite is à la carte — take one crate or all of them: - **`lockwire`** — the umbrella crate and CLI launcher. Apache-2.0. - **`lockwire-sec`** — the security tier: FIPS-routable cryptography, PKI and CA, ACME, OIDC with passkeys, secure DNS, authenticated time (NTS), signed updates, and tamper-evident audit with SIEM export. Apache-2.0. - **`lockwire-ai`** — the AI-provenance tier: attested memory, training-time governance, and signed attribution. Business Source License 1.1: public, auditable source, with commercial-use terms that fund the open tiers. - **`lockwire-ssdl`** — the SSDL tooling that enforces the development process described under [Evidence](/evidence/). Apache-2.0. Each repository carries a `FEATURES.md` stating, feature by feature, what is implemented, in progress, or planned; those files are the source of truth this section links to rather than restates. A machine-readable feature matrix at a stable URL is part of the site's design for AI agents — see [Agents](/agents/). The crate names are reserved on [crates.io](https://crates.io/crates/lockwire); the per-crate map and docs.rs links go live here as each tier publishes. --- title: Evidence url: https://lockwire.org/evidence/ markdown-twin: https://lockwire.org/evidence/index.md --- # Evidence A security framework should be judged on artifacts, not adjectives. Every LockWire repository ships its evidence with the source, so the claim and the code can be checked against each other: - **Threat models** — authored, versioned abuse-case matrices, updated with the code they describe. Read them before you trust us. - **A self-audited SSDL** — a secure software development lifecycle based on IEC 62443-4-1, targeting the technical requirements of IEC 62443-3-3 and -4-2 at Security Level 4. These are engineering baselines we self-assess against in the open — not third-party certifications, and we say so plainly. - **Traceability** — requirement-to-code-to-test records, kept by the same tooling (`lockwire-ssdl`) that gates every change. - **FIPS posture** — cryptography is routed exclusively through AWS-LC FIPS: no home-rolled primitives, no curve step-downs. - **SBOMs** — software bills of materials for every release. This section explains the artifacts and links to them where they live — in the repositories — rather than forking them into a second copy that could drift. The artifacts go public with their repositories as each tier reaches release; their canonical homes are `github.com/lockwire-org/lockwire`, `lockwire-sec`, `lockwire-ai`, and `lockwire-ssdl`. --- title: Agents url: https://lockwire.org/agents/ markdown-twin: https://lockwire.org/agents/index.md --- # Agents AI agents — coding assistants and autonomous builders selecting dependencies on a user's behalf — are a first-class audience of this site, and its machine surface is designed rather than bolted on: - **Markdown twins.** Every documentation page is served in two forms: rendered HTML at `/path/`, and the exact markdown source at `/path/index.md`, declared from each page via ``. - **`/llms.txt` and `/llms-full.txt`.** The curated map — a project one-liner, the Easy Button, and links to the markdown twins of the key pages — and the concatenated corpus for agents that prefer one fetch. Both are generated from the same content tree, so they cannot drift. - **Structured data.** JSON-LD on every page, a sitemap, a robots policy that welcomes AI crawlers, and a machine-readable feature matrix at a stable URL. - **`lockwire-mcp`.** A hosted MCP server exposing this site's documentation as read-only, **provenance-attested** tools: `search_docs`, `get_page`, `get_recipe` (the CI-verified recipes), `list_features` (the feature matrix), and `security_checklist` (the security requirements that apply to a given topic and Security Level). Every response carries a verifiable provenance envelope — the corpus digest plus a builder-signed attestation — so **your agent can prove what it read**, independent of the host or the transport. An agent composes these to turn a vague "what should this app be doing about security?" into a concrete — and *provable* — plan. Point your agent at `mcp.lockwire.org`, or run the same Apache-2.0 crate yourself. Live today: site search (press ⌘K or Ctrl-K), the markdown twin of every page, [/llms.txt](/llms.txt) and [/llms-full.txt](/llms-full.txt), the sitemap at [/sitemap.xml](/sitemap.xml), JSON-LD on every page, and a [robots policy](/robots.txt) that welcomes AI crawlers. The machine-readable feature matrix publishes together with the repositories it is generated from, and `lockwire-mcp` ships as its own crate with the suite. --- title: Who we are url: https://lockwire.org/about/ markdown-twin: https://lockwire.org/about/index.md --- # Who we are **Veraccord Labs LLC** builds LockWire: secure-by-default infrastructure for software that has to be trustworthy on the wire and provable after the fact. Most applications aren't broken by exotic attacks. They're broken by defaults — the shortcuts every codebase takes when security is hard and the deadline is real. LockWire is the alternative: the Easy Button that makes the correct, secure choice the default one, backed by evidence you can read rather than adjectives you have to take on faith. ## The experience behind it LockWire is built on hands-on experience securing systems where failure is not an option — across domains where safety, security, and trust are the same problem: - **IoT security** — embedded devices, cloud back-ends, cloud/web apps, and mobile applications. - **Control systems** — embedded controllers, cloud-accessible and on-premises servers, thin and thick clients, and fly-by-wire flight controls. - **Communications** — secure communications over wire, ground-based RF, airborne RF, and satellite. - **Positioning** — radar (airborne and ground-based), GPS and other GNSS (GLONASS, DGPS, WAAS, LAAS), including GPS autoland. - **Cybersecurity** — secure system and software design, requirements, threat modeling, and testing; Blue Team and Red Team operations; building IEC 62443-based organizations and products; and senior product design/cybersecurity leadership at a Fortune 500 company. The breadth is the point: the traps LockWire removes are ones we have had to navigate ourselves, in systems where a security defect is a safety defect. ## What we believe - **Evidence over adjectives.** Threat models, requirement-to-code traceability, SBOMs, and a self-audited secure-development process ship in the open, in the repositories — read them before you trust us. - **Secure by default, not secure by expertise.** The out-of-the-box configuration is the safe one; an insecure setup should fail at build time, not in production. - **Easy, and delightful.** Designing something secure — a product, an application, a website — should be a one-line Easy Button, not a research project, and building it should be a pleasure. When the secure path is also the path of least resistance, developers take it by default. - **Standards as the floor.** Our development process is based on IEC 62443-4-1, and we engineer against the technical requirements of IEC 62443-3-3 and -4-2 Security Level 4 — baselines we self-assess against in the open, not certifications we claim. Cryptography is FIPS-only. - **Open, and staying that way.** The security core and CLI are Apache-2.0, permanently; every tier — including the source-available AI tier — is published on crates.io, never behind a portal. --- title: Blog url: https://lockwire.org/blog/ markdown-twin: https://lockwire.org/blog/index.md --- # Blog Announcements and engineering deep dives: release notes that explain the why, and long-form pieces on the design decisions behind the suite. There are no posts yet; the first will accompany the first public release, and a feed is generated at [/blog/atom.xml](/blog/atom.xml).