README
ΒΆ
BlackIce
Betrayal-resilient data infrastructure that plans for compromise β and survives it.
BlackIce is a zero-trust data platform built around the conviction that compromise is inevitable. Instead of pretending attacks will never land, BlackIce designs for the aftermath: immediate containment, cryptographic provenance, adaptive degradation and forensic-first recovery β all while keeping the data moving.
Not fail-safe. Breach-resilient. Tamper-aware. Unafraid.
β¨ Highlights
| Feature | What it buys you |
|---|---|
| π Zero-Trust Flight Gateway | PQ-TLS, Merkle integrity & adaptive circuit-breakers without sacrificing throughput. |
| π° Control Plane | Signed config ledger, real-time fleet health, live policy pushes. |
| π Mutation-Aware Storage | Iceberg-style versioning with cryptographic commits & predictive rollback. |
| π Self-Doubt Pipelines | Behaviour + content anomaly detection that can auto-isolate or burn-back. |
| π© Decentralised Fallback | Reed-Solomon / Shamir-sharded backupsβsurvive region loss or legal seizure. |
ποΈ Layered Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Control Plane (gRPC + Signed Ledger) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β² β²
β β
β Health / Policy β Panic Escalation
β β
βββββββββββββ΄βββββββββββ βββββββββ΄ββββββββ βββ-ββββββ-βββββββββ
β Secure Flight GW β β β Anomaly Engine β β β Panic Service β
β (pkg/flightgw) β ββββββββββββββββββ ββββββββββββββββββββ
β HMAC βͺ PQ-TLS βͺ CB β
βββββββββββ¬βββββββββββββ
β Arrow Flight
βββββββββββ΄βββββββββββββ
β Data Stores β ποΈ Iceberg βͺ DuckDB βͺ S3 βͺ Storj/IPFS
ββββββββββββββββββββββββ
Every layer can operate independently, yet all layers sign each other's work β creating an immutable chain-of-custody from raw ingress to long-term archive.
π Quick Start
set -euo pipefail
# 1. Install CLI tools
go install github.com/TFMV/blackice/cmd/flightdata@latest
go install github.com/TFMV/blackice/cmd/flightclient@latest
# 2. Start an in-memory Secure Flight Gateway
flightdata --listen 0.0.0.0:8815 --ttl 10m
# 3. In another terminal, push & fetch a demo Arrow RecordBatch
flightclient put --file demo.arrow
flightclient get --ticket demo.arrow
Docker one-liner:
docker run -p 8815:8815 -p 9090:9090 ghcr.io/tfmv/blackice/flightdata:latest
𧩠Core Components
| Component | Purpose | Key Features |
|---|---|---|
Secure Flight Gateway pkg/flightgw |
Drop-in Arrow Flight proxy with zero-trust defaults | β’ Post-Quantum gRPC-TLS (Kyber-x25519-HMAC) β’ SHA-256 HMAC per batch, optional Merkle stream verification β’ Battle-tested circuit-breaker with five-tier postures β’ Dynamic Trust Scoring across ten behavioural dimensions |
Control Plane pkg/controlplane |
Central nervous system that keeps every BlackIce node honest | β’ AuthN/Z pluggable providers, hardware-rooted attestations β’ Real-time component registry with heartbeat-based liveness β’ Signed configuration ledger with provenance and diffs β’ gRPC API from proto/blackice/v1/controlplane.proto |
Telemetry & Anomaly Detection pkg/flightgw/telemetry |
Multi-modal threat detection | β’ OpenTelemetry pipelines, Prometheus/Grafana export β’ High-dimensional detectors (Isolation Forest, VAEs, DBSCAN) β’ <0.1% false-positive rate, MITRE ATT&CK mapping |
Panic Service proto/blackice/v1/panic.proto |
Coordinated incident response | β’ Tier-0 β¦ Tier-5 escalation, burn-back coordination β’ Multi-party attestation, immutable forensic ledger |
π Stability Matrix
| Component | Status | Notes |
|---|---|---|
| Flight Gateway | Beta | Production-ready, API stable |
| Control Plane | Alpha | Core features complete, API evolving |
| Anomaly Detection | Beta | High accuracy, tuning ongoing |
| Panic Service | Alpha | Protocol stable, implementation maturing |
| CLI Tools | Stable | Ready for daily use |
π Repository Map
art/ β³ Vision documents, logos, diagrams
cmd/ β³ CLI entry-points (flightdata, flightserver, flightclient β¦)
proto/ β³ gRPC / protobuf contracts
pkg/ β³ Production Go packages
βββ controlplane/ β³ Fleet orchestration & policy engine
βββ flightgw/ β³ Zero-trust Arrow Flight gateway & helpers
βββ server/ β³ Flight server implementations
βββ proxy/ β³ Reverse proxy logic
βββ crypto/ β³ HMAC, PQ-TLS, Merkle, attestations
βββ trust/ β³ Dynamic trust scoring
βββ anomaly/ β³ Detectors & alert lifecycle
βββ telemetry/ β³ Metrics, tracing, logging
π Development
- Prerequisites: Go 1.24+ and
buf(for protobuf) - Build & Test:
make lint testβ runsgolangci-lint, unit tests and race detector - Protobuf:
make prototo regenerate gRPC stubs - Dev Environment:
make dev-shellfor containerized development
Linter config lives in .golangci.yml; CI runs on GitHub Actions.
π€ Contributing
Bug reports, feature ideas and pull requests are welcome!
- π Documentation: GitHub Pages
- π¬ Chat: Join
#blackiceon Matrix - π Good First Issues: Help wanted
Please see CONTRIBUTING.md for guidelines.
π License
SPDX-License-Identifier: MIT
Β© 2025 TFMV β MIT License
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
anomalyclient
command
anomalyclient is a test client for the anomaly detection service
|
anomalyclient is a test client for the anomaly detection service |
|
anomalyservice
command
main is the entry point for the anomaly detection service
|
main is the entry point for the anomaly detection service |
|
controlplane
command
|
|
|
flightclient
command
|
|
|
flightdata
command
|
|
|
flightgw
command
|
|
|
flightserver
command
|
|
|
keygen
command
|
|
|
pkg
|
|
|
flightgw/anomaly
Package anomaly provides anomaly detection and response capabilities for the BlackIce system.
|
Package anomaly provides anomaly detection and response capabilities for the BlackIce system. |
|
flightgw/crypto
Package crypto provides military-grade cryptographic functionality for BlackIce
|
Package crypto provides military-grade cryptographic functionality for BlackIce |
|
flightgw/integration
Package integration provides components to integrate various Flight servers
|
Package integration provides components to integrate various Flight servers |
|
flightgw/server
Package server provides core server functionality for the BlackIce Flight Gateway
|
Package server provides core server functionality for the BlackIce Flight Gateway |
|
flightgw/telemetry
Package telemetry provides a secure framework for collecting and exposing metrics
|
Package telemetry provides a secure framework for collecting and exposing metrics |
|
flightgw/trust
Package trust provides trust scoring and evaluation for data sources
|
Package trust provides trust scoring and evaluation for data sources |
|
proto
|
|
Click to show internal directories.
Click to hide internal directories.