Blog

1. Two Supply Chain Attacks. One Root Cause. A Fix That Doesn't Exist Yet.

   Axios and LiteLLM were both hijacked via stolen publishing tokens. Cryptographic signing would have made the poisoned releases detectable. Here's what we built — and what we still need the ecosystem to build.

   2026-03-31

2. How We Audit Our Code

   Why we built capsec — a static analyzer and compile-time type system that catches I/O violations in our 20-crate Rust workspace before they ship.

   2026-03-22

3. Towards Replacing Leaky API Keys and Secrets

   API keys are copyable strings. Cryptographic identity is not. Here's how we're replacing the most common source of supply chain compromise with device-bound credentials that can't be leaked.

   2026-03-15

4. What if your npm token, PyPI token, and Docker token were the same key?

   We replaced API keys with cryptographic identity. Here's how it works, how it would have caught the xz-utils backdoor, and why your DID is the last credential you'll ever need.

   2026-03-13

5. The Three Paths to Signing a Commit

   A practical walkthrough of what actually happens when you sign a commit with GPG, Sigstore, and Auths — the ceremonies, the dependencies, and the failure modes.

   2026-03-09

6. Developer Identity Without a Certificate Authority

   How KERI key event logs handle algorithm migration, key rotation, and post-quantum readiness compared to CA-dependent systems like Sigstore — and the honest tradeoffs between both approaches.

   2026-03-07

7. Announcing Auths

   Introducing Auths — decentralized cryptographic identity for software supply chains, powered by KERI and WebAssembly.

   2026-02-22