added links in the tech overview

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>

.github/workflows/check.yml

@@ -6,13 +6,16 @@ on:
   merge_group:
     branches:
     - main
+permissions:
+  contents: read
+
 jobs:
   rustfmt:
     name: rustfmt
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: checkout repository
@@ -33,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: checkout repository
@@ -55,7 +58,7 @@ jobs:
     name: full build linux-${{ matrix.arch }}
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: checkout repository
@@ -83,7 +86,7 @@ jobs:
     name: full test linux-${{ matrix.arch }}
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: checkout repository
@@ -110,7 +113,7 @@ jobs:
     name: full clippy linux-${{ matrix.arch }}
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: checkout repository

.github/workflows/release-plz.yml

@@ -6,6 +6,9 @@ on:
 concurrency:
   group: "${{ github.workflow }}"
   cancel-in-progress: true
+permissions:
+  contents: read
+
 jobs:
   release-plz:
     name: release-plz
@@ -15,11 +18,11 @@ jobs:
       contents: write
     steps:
     - name: harden runner
-      uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
+      uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
       with:
         egress-policy: audit
     - name: generate cultivator token
-      uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
+      uses: actions/create-github-app-token@21cfef2b496dd8ef5b904c159339626a10ad380e # v1.11.6
       id: generate-token
       with:
         app-id: "${{ secrets.EDERA_CULTIVATION_APP_ID }}"
@@ -37,7 +40,7 @@ jobs:
     - name: install linux dependencies
       run: ./hack/ci/install-linux-deps.sh
     - name: release-plz
-      uses: MarcoIeni/release-plz-action@db75300cf27adcd986d6f0cf4a72a4ffcc11dae5 # v0.5.86
+      uses: MarcoIeni/release-plz-action@476794ede164c5137bfc3a1dc6ed3675275690f9 # v0.5.99
       env:
         GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}"
         CARGO_REGISTRY_TOKEN: "${{ secrets.KRATA_RELEASE_CARGO_TOKEN }}"

Cargo.lock

@@ -77,9 +77,9 @@ dependencies = [
 
 [[package]]
 name = "async-trait"
-version = "0.1.83"
+version = "0.1.85"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "721cae7de5c34fbb2acd27e21e6d2cf7b886dce0c27388d46c4e6c47ea4318dd"
+checksum = "3f934833b4b7233644e5848f235df3f57ed8c80f1528a26c3dfa13d2147fa056"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -185,9 +185,9 @@ dependencies = [
 
 [[package]]
 name = "env_logger"
-version = "0.11.5"
+version = "0.11.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e13fa619b91fb2381732789fc5de83b45675e882f66623b7d8cb4f643017018d"
+checksum = "dcaee3d8e3cfc3fd92428d477bc97fc29ec8716d180c0d74c643bb26166660e0"
 dependencies = [
  "anstream",
  "anstyle",
@@ -342,9 +342,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.168"
+version = "0.2.169"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5aaeb2981e0606ca11d79718f8bb01164f1d6ed75080182d3abf017e6d244b6d"
+checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
 
 [[package]]
 name = "lock_api"
@@ -573,18 +573,18 @@ dependencies = [
 
 [[package]]
 name = "thiserror"
-version = "2.0.7"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93605438cbd668185516ab499d589afb7ee1859ea3d5fc8f6b0755e1c7443767"
+checksum = "f072643fd0190df67a8bab670c20ef5d8737177d6ac6b2e9a236cb096206b2cc"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.7"
+version = "2.0.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1d8749b4531af2117677a5fcd12b1348a3fe2b81e36e61ffeac5c4aa3273e36"
+checksum = "7b50fa271071aae2e6ee85f842e2e28ba8cd2c5fb67f11fcb1fd70b276f9e7d4"
 dependencies = [
  "proc-macro2",
  "quote",

Cargo.toml

@@ -16,11 +16,11 @@ license = "GPL-2.0-or-later"
 repository = "https://github.com/edera-dev/krata"
 
 [workspace.dependencies]
-async-trait = "0.1.83"
+async-trait = "0.1.85"
 bit-vec = "0.8.0"
 byteorder = "1"
 elf = "0.7.4"
-env_logger = "0.11.5"
+env_logger = "0.11.6"
 flate2 = "1.0"
 indexmap = "2.6.0"
 libc = "0.2"
@@ -29,7 +29,7 @@ memchr = "2"
 nix = "0.29.0"
 regex = "1.11.1"
 slice-copy = "0.3.0"
-thiserror = "2.0.7"
+thiserror = "2.0.9"
 xz2 = "0.1"
 
 [workspace.dependencies.tokio]

README.md

@@ -11,6 +11,7 @@ krata is an implementation of a Xen control-plane in Rust.
 - [Frequently Asked Questions](FAQ.md)
 - [Code of Conduct](CODE_OF_CONDUCT.md)
 - [Security Policy](SECURITY.md)
+- [Edera Technical Overview](technical-overview.md)
 
 ## Introduction
 
@@ -23,3 +24,4 @@ It provides the base layer upon which Edera Protect zones are built on: a secure
 |--------------|------------------|-------------------------|
 | x86_64       | 100% Completed   | None, Intel VT-x, AMD-V |
 | aarch64      | 10% Completed    | AArch64 virtualization  |
+

technical-overview.md

@@ -0,0 +1,95 @@
+# Edera Technical Overview
+
+## What is Edera?
+
+Edera is a secure-by-default, cloud-native platform built on a reimagined, memory-safe type-1 hypervisor. It unlocks hard multitenancy and strong container isolation—without the performance hit.
+
+Unlike traditional container runtimes that share a single Linux kernel across containers, Edera runs each container in a lightweight virtual machine (called a **zone**), with its own dedicated Linux kernel. This eliminates the kernel as a shared attack surface.
+
+And because Edera doesn’t rely on nested virtualization, it runs wherever containers do—across public clouds, on-prem, and edge environments.
+
+## How Edera Works
+
+At its core, Edera uses a [custom hypervisor](https://edera.dev/stories/rust-or-bust-our-rewrite-of-the-xen-control-plane) based on [Xen](https://edera.dev/stories/why-edera-built-on-xen-a-secure-container-foundation), with key components rewritten in Rust for safety, performance, and maintainability. Edera introduces the concept of **zones**—independent, fast-booting virtual machines that serve as security boundaries for container workloads.
+
+Each zone runs its own Linux kernel and minimal init system. The kernel and other system components are delivered via OCI images, keeping things composable, cacheable, and consistent.
+
+Zones are [paravirtualized](https://docs.edera.dev/concepts/paravirtualization/) using the Xen PV protocol. This keeps them lightweight and fast—no hardware virtualization required. But when hardware support is available (e.g., on x86 with VT-x), Edera uses it to get near bare-metal performance.
+
+## How Edera Runs & Secures Containers
+
+Edera allows you to compose your infrastructure the same way you compose workloads: using OCI images.
+
+Each zone consumes a small number of OCI images:
+
+- A **kernel image** that provides the zone kernel.
+- One or more **system extension images** that provide init systems, utilities, and kernel modules.
+- Optionally, **driver zones**—zones that provide shared services (like networking) to other zones.
+
+Inside each zone, container workloads run via a minimal OCI runtime called [**Styrolite**]((https://github.com/edera-dev/styrolite/)), written in Rust. Unlike traditional setups (like Kata Containers, which layer containerd and runc as external processes), Styrolite is embedded inside the zone itself.
+
+### Key Benefits of This Design
+
+- No external container runtime processes  
+- Zone init system directly manages containers  
+- Minimal attack surface, optimized for secure execution
+
+This tightly integrated design avoids the complexity, latency, and exposure introduced by conventional container runtimes. It keeps the execution path short, verifiable, and secure-by-design.
+
+## Zones as Security Boundaries
+
+In Kubernetes, Edera runs pods inside **zones**—isolated virtual machines that eliminate risks like container escape, privilege escalation, and lateral movement.
+
+Each zone boots its own kernel, pulled via OCI, and runs a single pod by default. You can also configure zones to run a replica set, a namespace, or a set of trusted workloads together.
+
+To use Edera, apply the `RuntimeClass`:
+
+```yaml
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: edera
+handler: edera
+```
+
+Then annotate your pod:
+
+```yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: edera-protect-pod
+spec:
+  runtimeClassName: edera
+```
+
+This causes the pod to be scheduled to a node running Edera’s hypervisor. The pod is transparently launched inside its own VM zone—no image changes, no config rewrites, and no extra work from developers.
+
+## What Exactly Is an Edera Zone?
+
+An Edera zone is a minimal VM built from OCI-delivered components. At launch time, the Edera daemon unpacks:
+
+### Kernel Image
+
+Located under `/kernel` in the OCI image:
+
+- `image`: the Linux kernel (vmlinuz)
+- `metadata`: key-value pairs for boot parameters
+- `addons.squashfs`: includes kernel modules in `/modules`
+- `config.gz`: the kernel configuration file
+
+### Initramfs Contents
+
+Packaged in a CPIO archive, typically mounted from:
+`usr/lib/edera/protect/zone/initrd`
+
+The initramfs includes:
+
+- `/init`: static Rust binary that initializes the zone
+- `/bin/styrolite`: embedded container runtime
+- `/bin/zone`: control plane for managing containers and services via IDM (inter-domain messaging)
+
+This structure lets Edera launch zones rapidly, with well-defined boundaries and no dependency on the host OS kernel. Everything the workload touches is defined, versioned, and validated.
+
+---
+If you want to know more check out our [docs site](https://docs.edera.dev)