knSALK — deck defense bundle (firewall / antivirus / internal ICE)
First-party on-device program #13 (ADR-0042). Status: Draft (design) — promoted from charter stub. The deck’s self-defense program: the inverse of the offensive toolkit. Fills gap F (the last) of the gameplay framework. Where this and an ADR disagree, the ADR wins.
../runtime/recon-mode.md— the heat economy that triggers counter-intrusion (this is its defensive inverse)../cartridges/modules/ice-breaker.md— the ICE classes / trace / HUNTER model, now pointed at the operator../cartridges/design-bibles/verb-taxonomy-map.md§DEFENDER — the verb spine the active stand reuses../cartridges/modules/sysop-mode.md— the DEFENDER cart (defend-a-network-for-pay); shares vocabulary, different seat../runtime/currency-and-economy.md§5.1 — hardening knSALK is a credit-sink rig upgrade../cartridges/authoring/capability-shapes.md— the active stand is a grammar capability- ADR-0040 (sanctioned-write boundary), ADR-0015 (CIPHER hand-off), ADR-0042 (charter)
Identity
Section titled “Identity”The deck’s own defense bundle — firewall, antivirus, and internal ICE. The defensive counterpart to the offensive toolkit (CONDUIT / RIPSAW / Keyring / bzbx / ICE BREAKER): the shield that keeps an enemy’s trace programs and counter-intrusion off the operator’s deck while they work. Name: Salk → vaccine → immunization (the house-brand kn prefix family, cf. kn9).
1. The frame — your deck is also a target
Section titled “1. The frame — your deck is also a target”Every offensive program points outward: you scan, breach, and exfil someone else’s system. knSALK is the one program that points inward — because while you’re hacking them, they can hack back. A defender who notices you (your heat, §2) can trace back along your connection and counter-intrude on your own deck. knSALK stands between that intrusion and your stuff.
This makes the device’s central tension symmetric: the same skills, the same ICE model (ice-breaker.md: JUNK / BLACK / RED / HUNTER), the same trace-out failure — but now you’re the system being attacked, and knSALK is your perimeter.
2. Heat is the trigger (the double-edged meter)
Section titled “2. Heat is the trigger (the double-edged meter)”The coupling that ties offense and defense into one system: the heat you accrue on offense is what brings the counter-intrusion. Recon casing (recon-mode.md) and in-op trace (ice-breaker.md) feed one heat timeline; knSALK reads the other end of it:
counter-intrusion pressure = f(operator heat) breakthrough fires when pressure > knSALK passive-shield strengthSo the offensive heat meter is no longer just “a harder op” — at high heat, they come for your deck. Rip-and-run stays cold and rarely sees knSALK fire; a long, loud, measured op invites a counter-stand. Hardening knSALK (§5) raises the breakthrough threshold — buying yourself more heat headroom before defense becomes active work.
3. The hybrid model — passive shield + active stand
Section titled “3. The hybrid model — passive shield + active stand”knSALK runs in two layers (mirroring the offensive side’s passive trace-decay + active HUNTER moments):
- Passive shield (always-on). A background posture — firewall rules + AV signatures + base internal-ICE strength — that silently absorbs low-grade counter-intrusion and modifies the threat math. Set-and-forget for the common case; its strength is a build you buy and tune (§5). This is what keeps defense from being constant busywork.
- Active stand (breakthrough). When pressure exceeds the passive shield — a serious intrusion, a HUNTER-against-you — the offensive op interrupts and the operator must defend in real time (§4). Rare, tense, and the moment knSALK becomes gameplay rather than a stat.
4. The three facets — one program, the threat lifecycle
Section titled “4. The three facets — one program, the threat lifecycle”Firewall / antivirus / internal-ICE are three modes of one program, mapped to the three moments of a threat:
| Facet | When | Does | Layer |
|---|---|---|---|
| Firewall | before — prevention | inbound blocking rules + posture; the passive perimeter that sets the breakthrough threshold | passive |
| Antivirus | after — remediation | scan & neutralize hostile payloads picked up from the wire / a target / a cart; the between-ops hygiene loop + the cleanup that recovers a debuff (§6) | passive + on-demand |
| Internal ICE | during — response | the active stand: defensive ICE you raise and fight with when an intrusion is underway | active |
The active stand is a DEFENDER-verb grammar engagement (capability-shapes: grammar, not a bespoke mini-game). It reuses the DEFENDER Tier-2 spine from verb-taxonomy-map.md — QUARANTINE the payload, BANISH the intruder, PLACE-ICE / REROUTE / COUNTER-INTRUDE — turned defensively on your own deck. Because it’s grammar, it’s scriptable: an operator can author an auto-defense lambda (Lambda Slots) that fires a stock response so a breakthrough mid-op doesn’t always demand hands-on attention. (Sysop Mode deepens the same spine offensively-against-attackers; see §8.)
5. Hardening — the defensive build (credit sink)
Section titled “5. Hardening — the defensive build (credit sink)”Per currency-and-economy.md §5.1, hardening knSALK is a permanent rig upgrade in the program-tree credit sink. Upgrades raise the passive-shield strength (a higher breakthrough threshold), add firewall rule capacity, improve AV neutralize speed, and strengthen internal-ICE for the active stand. So defense is a build choice: a stealth-rig operator who buys trace-decay leans on staying cold; a loud-but-armored operator buys knSALK and tanks the counter-stand. Both viable — the same generalist-vs-specialist axis as the rest of the economy.
6. Stakes — what a breach costs (the tuning knob)
Section titled “6. Stakes — what a breach costs (the tuning knob)”Escalating, and deliberately recoverable — defense failure should sting, not brick your save:
| Outcome | Cost |
|---|---|
| Absorbed (passive shield holds) | nothing (maybe a small heat bump) |
| Breakthrough, defended (active stand wins) | you keep going; some time/heat spent |
| Breakthrough, not defended → trace-out | forced disconnect of the current op = run fail / abandon (mirrors the offensive trace-out penalty) |
| Deep intrusion (worst) | a temporary, recoverable deck debuff — a locked DOSSIER slice, a credit skim, a rep ding — cleaned up with a knSALK AV scan (a short self-directed remediation loop) |
Never permanent UDS destruction. Durable consequences are sanctioned outcomes (ADR-0040 §6) routed through the guarded cores, always with a recovery path (the AV scan). The exact numbers — pressure curve, threshold per hardening tier, debuff severity/duration — are the key tuning knob, deferred to balance.
7. State & surface
Section titled “7. State & surface”- Hardening / posture (the build) — durable, set via sanctioned purchase (the credit-sink build) + Config toggles for firewall posture. Persists like any rig upgrade.
- Live threat (incoming intrusion, the active stand) — Run state (volatile; resets at the run boundary).
- Breach consequences (debuffs) — sanctioned outcomes (the guarded UDS path), recoverable.
- Surface — the threat surface renders on the main grid (Keyring-style); knSALK alerts route to the CIPHER-LINE OLED via event hand-off (no main-grid CIPHER glyphs — ADR-0015). One program, the three facets as modes/tabs.
8. knSALK vs. Sysop Mode (don’t confuse them)
Section titled “8. knSALK vs. Sysop Mode (don’t confuse them)”Both speak DEFENDER (verb-taxonomy-map.md) and both end in trace-out — but they’re different seats:
| knSALK | Sysop Mode | |
|---|---|---|
| What | the deck’s own self-defense | a cart: you defend a network for pay |
| Category | first-party program (always present) | removable capability cartridge (sysop-mode.md) |
| When | during your offensive ops (reactive) | a chosen contract (you are the defender; PvP/asymmetric) |
| Seat | protecting your stuff | hunting an intruder for a bounty |
They share the DEFENDER verb vocabulary — plausibly knSALK is the shallow defender floor (the always-there baseline) that Sysop Mode deepens into full asymmetric defender gameplay (the baseline-vs-cart-deepened pattern, DeckRunner §11). Confirm that relationship in §9.
9. Open / deferred
Section titled “9. Open / deferred”- Stakes / heat tuning — the pressure curve, breakthrough threshold per hardening tier, debuff severity + duration. The balance pass (best against a running build).
- Defender-floor relationship — is knSALK formally the DEFENDER baseline that Sysop Mode deepens, or just shares its vocabulary? (Cart-vs-program categories differ; the verb spine is shared either way.)
- PvP counter-intrusion — when the attacker is another operator over the link cable (Sysop Mode’s domain), does knSALK mediate the defended deck? Ties to the link-cable layer (GWP-330).
- FFI — the active stand uses DEFENDER verb-tools (program-internal, surfaced via the DeckRunner interface) and rides the existing trace/threat + event-bus plumbing; no new NoshAPI primitive is anticipated beyond
launch-app(already amended). Confirm at the engineering spike; flag for an ADR-0005 amendment only if a defense-event primitive proves necessary.