self_defense

Immutable control-plane protection for config and hook artifacts.

What it mitigates

Persistence attempts that rewrite radius.yaml or hook wiring
Silent policy drift between requests
In-session tampering meant to survive restarts

Recommended defaults

Profile	enabled	onWriteAttempt	onHashMismatch
`local`	`true`	`deny`	`kill_switch`
`standard`	`true` in production-like runs	`deny`	`kill_switch`
`unbounded`	`false`	—	—

Minimal config

moduleConfig:
  self_defense:
    enabled: true
    immutablePaths:
      - "./radius.yaml"
      - "./.radius/**"
    onWriteAttempt: deny
    onHashMismatch: kill_switch

Operational notes

Keep includeDiscoveredConfig and includeHookArtifacts enabled unless you have a custom control-plane layout.
Use unlock.mode: token_file only for controlled maintenance windows.
If onHashMismatch: kill_switch, configure killSwitchFilePath on durable storage.

fs_guard
tripwire_guard
kill_switch

self_defense

What it mitigates

Recommended defaults

Minimal config

Operational notes

Related modules