Security Guide

Script Signing

Flux supports Ed25519 digital signatures to ensure script integrity.

Why Sign Scripts?

Integrity: Detect if scripts have been modified
Authentication: Verify scripts come from trusted source
Production Safety: Prevent execution of unauthorized code

Setup

Generate Key Pair

flux keygen --output ./keys

This creates:

keys/private.pem - Keep secret, used for signing
keys/public.pem - Distribute with app, used for verification

Sign a Script

flux sign script.flux --key keys/private.pem --output script.signed.flux

Verify Signature

flux verify script.signed.flux --key keys/public.pem

Flutter Integration

Embed Public Key

const publicKey = '''
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----
''';

Verify Before Execution

import 'package:flux_vm/flux_vm.dart';

final verifier = FluxScriptVerifier(publicKey: publicKey);

void runSignedScript(String signedContent) {
  if (!verifier.verify(signedContent)) {
    throw SecurityException('Script signature invalid');
  }
  
  // Extract script content (before signature)
  final script = verifier.extractContent(signedContent);
  
  final vm = VM();
  vm.interpret(script);
}

Signed Script Format

// Original script content
var x = 1;
print(x);

// --- FLUX SIGNATURE ---
// ed25519:ABC123...XYZ789

Best Practices

Key Management

Never commit private keys to version control
Use environment variables or secrets manager
Rotate keys periodically
Use separate keys for development and production

Runtime Security

// Create a sandboxed VM
final vm = VM();

// Don't register sensitive modules
// vm.registerModule(fileSystemModule);  // DON'T

// Limit what scripts can access
vm.registerModule(safeModule);

Input Validation

// Validate any values returned from Flux
final result = vm.getGlobal('userInput');

if (result is! String || result.length > 100) {
  throw ValidationException('Invalid input');
}

Threat Model

Threat	Mitigation
Malicious script execution	Signature verification
Script tampering	Ed25519 signatures
Resource exhaustion	Execution timeouts (planned)
Sensitive data access	Module sandboxing

Debugging vs Production

Feature	Debug	Production
Signature check	Optional	Required
Source maps	Included	Stripped
Debug symbols	Included	Stripped
.flx format	Optional	Recommended

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security

docs/security.md

Security Guide

Script Signing

Why Sign Scripts?

Setup

Generate Key Pair

Sign a Script

Verify Signature

Flutter Integration

Embed Public Key

Verify Before Execution

Signed Script Format

Best Practices

Key Management

Runtime Security

Input Validation

Threat Model

Debugging vs Production

There aren’t any published security advisories

Security: ImL1s/flux

Security

docs/security.md

Security Guide

Script Signing

Why Sign Scripts?

Setup

Generate Key Pair

Sign a Script

Verify Signature

Flutter Integration

Embed Public Key

Verify Before Execution

Signed Script Format

Best Practices

Key Management

Runtime Security

Input Validation

Threat Model

Debugging vs Production

There aren’t any published security advisories