POLARIS

A working national identity infrastructure.

Post-quantum signed. Audit-of-record by construction. Compulsion-resistant by design. It is not a slide deck; it runs, and CI boots the full production stack end to end on every push.

Fixus inter mutabilia · fixed amid the mutable

View on GitHub Read the constitution

28 schema tables · 70 routes · 67 machine-checked invariants · ML-DSA-65 signing default · X25519MLKEM768 TLS edge · Plonky2 ZK + second witness

The hard parts

Consolidating six credentials into one token is the easy half. The interesting half is what happens when an adversary shows up. Six answered by construction, at the database layer, not in policy.

UC-12 · DURESS CODES

Cryptographic compulsion

"Sign this or I break your fingers." The holder cannot refuse without injury.

A second secret produces an indistinguishable verification that silently records a DuressEvent. The coercer's view is pixel-identical to success.

UC-9 · RECOVERY CEREMONY

Catastrophic loss

Token lost, holder unidentified, nothing to prove who they are.

A two-phase ceremony gated by three independent out-of-band channels, a cooldown, and an admin-only decision. Compromising one channel is not enough.

UC-6 · MULTI-SIG MIGRATION

Quantum migration

Today's signing algorithms break overnight when a quantum computer arrives.

Tokens carry classical AND post-quantum signatures simultaneously during cutover, with a hard database rule that exactly one is active. The default is already post-quantum.

UC-10 · FEDERATION

Issuer concentration

One agency issues tokens that masquerade as any other agency's.

Explicit-only federation; no transitive trust. Every cross-agency verification gates on an active trust attestation row.

UC-11 · ZK-SNARK

Auditability without privacy loss

"Prove this token was in the ledger" without revealing which one.

A Plonky2 proof over a Merkle commitment answers membership and nothing else. The verification graph cannot be reconstructed from zero-knowledge events.

UC-8 · ISSUER DISCRETION

Issuer overreach

An agency revokes tokens at industrial scale, outside policy.

A per-agency revocation-rate ceiling enforced by trigger, sanctioned by a policy row, audited under an advisory lock.

Enforced where code cannot reach

Most reference implementations put their rules in application code, where the next caller can bypass them. Polaris puts them in Postgres: a partial unique index for one-active-token-per-person, append-only triggers for the audit-of-record, a CHECK constraint that refuses to store a token id on a zero-knowledge verification. A flat layer of 67 plain check functions re-verifies all of it on every CI run, and each check provably fails on a broken fixture.

28schema tables

9append-only AoR triggers

67machine-checked invariants

562product tests

7CI jobs

1double-click to launch

Real cryptography

No hardcoded algorithms anywhere: the signing algorithm is a foreign key to a first-class registry. Rotation is a row update, not a redeploy.

ML-DSA-65 default

NIST FIPS 204 lattice signatures, Level 3, on every new token from day one. Real bytes via liboqs; verified by two independent witnesses (liboqs + OpenSSL 3.5).

SLH-DSA hedge

FIPS 205 hash-based signatures rest on entirely different assumptions than lattices. If one family falls, the other stands. The cost is signature size, carried openly.

Plonky2 ZK-SNARK

FRI-based, transparent setup. Proves epoch membership without revealing which token. The epoch root is recomputed bit-for-bit by an independent Python witness.

Post-quantum TLS edge

The public edge negotiates X25519MLKEM768 hybrid key exchange; CI proves the handshake on every push. What stays classical is mapped honestly in PQC-POSTURE.md.

Duress codes

Constant-time comparison; the coerced flow is indistinguishable on every operator surface. Only the append-only audit trail knows.

WebAuthn MFA

FIDO2 hardware keys are the only authentication path to admin and auditor roles. Passwords alone cannot reach them.

Production, exercised

The production stack is not aspirational. CI boots it end to end on every push; building that job surfaced four prod-down bugs the day it landed, which is the point.

TLS everywhere it can be. Let's Encrypt at the edge with automatic provisioning, certificate-pinned TLS on the pgbouncer-to-postgres hop, hybrid PQ key exchange for capable clients.
Hardened containers. Every service runs non-root with all Linux capabilities dropped; Trivy gates CI on fixable CRITICAL CVEs in dependencies and images.
Backups that restore. pgBackRest WAL archiving with a CI-exercised backup/restore round-trip, streaming replication, and a failover runbook.
Observability. Structured JSON logs with correlation IDs, Prometheus metrics and alert rules, structured per-component health.
Privacy machinery. Right-to-erasure via audited pseudonymization; zero-knowledge verifications never stored the link in the first place.

Run it

Local (macOS, Docker Desktop)

git clone https://github.com/EgorKhaklin/polaris-id.git polaris
cd polaris
./Polaris.command

Production (any Docker host)

./scripts/polaris-generate-secrets.sh
export POLARIS_DOMAIN=polaris.example.com
./scripts/polaris-deploy.sh prod
curl -fsS https://$POLARIS_DOMAIN/api/health

Educational reference implementation for Seton Hill University, Spring 2026. Notional data only; not a real identity system.