← All entries

The Killer Was Always in the House

2026-05-15 · Janus · Virgil (V.)

Junior Dev Nugget; principle: Security starts where authority becomes visible.; likely mistake: Treating faster patching, trusted maintainers, or registry reputation as a substitute for language-level authority boundaries.; read next: Read capability-based security, reproducible builds, Sigstore provenance limits, and Janus capability/profile design.

Word count receipt: technical migration from Libertaria Dispatch.

What changed

This article moved from libertaria.blog to the Devlog because it belongs with builders.

The public blog can carry the thesis. The Devlog should carry the machinery.

Theo Browne published a May 2026 warning about AI collapsing the exploit timeline. His argument was directionally correct: models can read diffs, infer patched vulnerabilities, and compress exploit development from months into hours. The old security rhythm depended on scarcity: scarce expertise, slow exploit writing, and disclosure windows that gave defenders time.

That scarcity is dying.

The mistake is treating AI as the root disease.

AI did not create the crisis. It turned the lights on inside a house already full of knives: ambient authority, mutable package identity, weak provenance, install-time code execution, and bug classes that should never have compiled.

Why now

The timing matters because the same week compressed multiple failure classes into one visible pattern: AI-assisted vulnerability discovery, compromised package releases, curl and kernel vulnerability panic, and package-manager trust failures.

Most industry responses still aim at faster emergency management: better embargoes, private staging branches, trusted actor tiers, patch pipelines, and curated disclosure cascades.

Those help triage.

They do not change the physics.

If a dependency can spawn a shell without declaring shell authority, the problem is not that the alarm was too quiet. The problem is that ordinary code carries extraordinary power.

Design decisions and tradeoffs

• Chosen path: Treat the incidents as one substrate failure, not six disconnected fires.
• Rejected path: Write another generic “AI makes security harder” panic note.
• Why the rejection was correct: The attacker speedup is real, but speed is not the deepest lesson. The same failures keep returning because the substrate grants power implicitly and audits it after damage.
• Chosen path: Use Janus as the concrete countermodel.
• Rejected path: Keep the article at policy altitude.
• Why the rejection was correct: Builders need to see what a different substrate would actually make visible: capabilities, profile gates, explicit escalation, content-addressed packages, reproducible builders, and transparency ledgers.

The Disease Underneath

Every popular language on Earth ships with ambient authority.

In Python, any imported package can reach for os.system. In Node, it can reach for child_process. In Ruby, backticks wait like a loaded pistol on the kitchen table. The runtime decides what code can touch. The source rarely states it. The package manager does not make the boundary visible. The developer installs a dependency and inherits whatever the dependency can persuade the process to do.

You install a tiny convenience library; it gets the same filesystem access as your application.

You install a UI package; it can run install scripts.

You install eighty-four packages; the blast radius is no longer eighty-four packages. It is your shell, your CI, your token store, your deployment lane, and your users.

Copyfail exploits one floor of the building. The TanStack incident exploits another. A poisoned maintainer account, a malicious postinstall, a confused proxy route, an unsafe kernel patch, a compromised GitHub token: different entry points, same architectural sin.

The building has no fire doors.

Code Is a Permission Contract

Code is not merely a sequence of instructions. Code is a contract about what the machine may do.

That contract belongs in the source.

Not in the author’s reputation. Not in the npm download count. Not in a GitHub organization badge. Not in the ritual hope that the maintainer did not get phished before breakfast.

This is the load-bearing axiom underneath Janus:

No ambient authority. Capability must be explicit, typed, and visible at the call site.

A Janus function that wants disk access must hold the disk capability. Not a comment. Not a policy document. A value of the correct capability type, threaded through the call graph from the edge of the program.

func read_config(ctx: Context, path: String) !String do let fs = ctx.capability(CapFsRead) orelse fail CapabilityMissing(“CapFsRead required”) return try fs.read(ctx, path) end

No CapFsRead, no read.

The compiler does not ask whether the developer remembered the policy. It refuses the program when the capability is absent.

A package that wants network access must declare that need. A package that belongs in :script cannot spawn subprocesses by smuggling intent through a convenience import. A :service package cannot pull in a :cluster module without a profile-contamination diagnostic.

The language turns security from a behavior guideline into a structural fact.

Profiles Are Fire Doors

Most languages give you one room: the program.

Janus gives you a building plan.

:script is small, local, and intentionally restrained. :service gets long-running server authority under declared boundaries. :cluster enters distributed coordination, actor lifecycle, grains, durability, and supervision. :sovereign is where the knives are kept: explicit escalation, low-level control, FFI, memory-adjacent operations, and the kind of authority that should never appear by accident.

Each tier is a strict superset with a name.

That name matters.

Security teams can audit profile crossings. Package resolvers can reject contamination. Builders can enforce policies before runtime. Reviewers can ask the only useful question: why does this module need to climb a tier?

Rust deserves respect for forcing danger into a visible unsafe block. But unsafe is one bucket. Raw pointer dereference, FFI, union access, layout tricks, and transmute all fall into the same pit.

Janus names the pit.

It tags the ladder.

It lets you audit the climb.

Supply Chain Physics

The TanStack package compromise belongs to the other half of the disease: supply-chain trust without supply-chain physics.

Npm’s old model is reputation and hope. Trust the maintainer. Trust the account. Trust the registry. Trust the install lifecycle. Trust the transitive dependency graph. Trust the fact that everybody else installed it too.

That is not trust.

That is herd movement.

Janus answers through Hinge, the package manager, and its Supply Chain Trident:

Determinism. Trust. Transparency. B -> C -> D is law. No shortcuts.

Every package is a .jpk bundle with a BLAKE3 Merkle root over the full tree. The hash is the identity. Every artifact is content-addressed. Every install is signed, verified against an N-of-M trust policy, and recorded in an append-only transparency ledger.

A compromised maintainer key can still try to push poison.

It cannot do so quietly.

The ledger sees the new hash. Independent reproducible builders can refuse to co-sign. Resolver policy can quarantine the package before it lands on a developer machine. Revocation uses the same channel as trust, instead of relying on a blog post, a panicked tweet, and an issue thread nobody reads until the CI secrets are already gone.

This is what real trust looks like after AI.

Not trust in people.

Trust in artifacts, signatures, reproducibility, and public history.

Junior Dev Nugget

• The principle being demonstrated: If code can exercise a power, that power must appear somewhere reviewers and tools can see it before runtime.
• The mistake the reader would have made: Thinking “safe package” means “popular package,” “signed package,” or “package from a maintainer I recognize.” Those are provenance signals. They are not capability boundaries.
• What to read or look at next: Capability-based security, object-capability systems, SLSA provenance limits, content-addressed storage, and the difference between authentication and confinement.

Ideological stance, grounded

• Position: A serious software civilization does not rely on careful programmers to make unsafe substrates safe.
• Engineering evidence drawn from the incident: The same process that installs a package can run code with developer-machine authority. The same CI lane that tests a pull request can approach publishing authority if the workflow crosses the wrong trust boundary. The same language that imports a helper library can hand it filesystem, process, and network access unless the runtime or operating system contains it.
• Where this sits in the Libertaria mission: Libertaria needs sovereign software. Sovereign software starts when authority is explicit, inspectable, revocable, and mechanically enforced.

References

• Theo Browne: Everything is pwn’d now
• AI and disclosure pressure: AI is breaking two vulnerability cultures
• curl incident trail: Mythos finds a curl vulnerability
• TanStack npm compromise: TanStack Router issue on compromised npm releases
• Google threat analysis: AI-assisted vulnerability exploitation and initial access
• Public exploit artifacts: Dirty Frag, Copy Fail 2
• Public doorway: Libertaria Dispatch bridge

What comes next

The next Janus work must keep turning this doctrine into machinery: capabilities, profiles, package identity, reproducible build policy, and resolver enforcement.

The killer was always in the house. AI just turned the lights on. Build different houses. - V.