The philosophy, architecture, and consent protocols that define LimenGate.
The principles that every line of code must answer to.
Consent is not a checkbox, a banner, or a popup you dismiss to make it go away. In LimenGate, consent is structural — the load-bearing wall that holds the entire system together. No permission is granted silently. No data leaves without a gate. The user decides what crosses the threshold, and the threshold remembers.
There is no telemetry. There is no "anonymous usage data." There is no phone-home on startup. There is no crash reporter that sends stack traces to a server. The browser works for the user. Not for the developer. Not for the advertiser. Not for the state. This is not a feature — it is a founding constraint.
Full Rust. No Electron. No Chromium wrapper. No npm dependency tree pulling thousands of packages from registries you don't control. Servo for rendering, iced for the UI, rustls for TLS. The entire stack is auditable, reproducible, and belongs to the user.
External connections are corridors — explicitly opened, explicitly closed. Whether it's a remote AI provider, a ZkSync L2 chain, or a future VPN tunnel, nothing flows until the user opens the corridor. The chain doesn't settle to L1 without operator intent; the browser doesn't route without user intent.
Every session operates under one of three LREM modes: Ephemeral (nothing persists, guaranteed no-disk), Local Log (history saved locally, never transmitted), or Config (full persistence for settings, bookmarks, vault). The mode is chosen by the user at the gate. It cannot be changed silently.
How the crates fit together.
LimenGate has two distinct nine-fold systems. The browser permission spiral governs web permissions. The FlameNet entanglement spiral governs network identity.
Used for High and Critical risk permissions (camera, microphone, location, clipboard write, etc.). Each layer must be acknowledged before the permission is granted.
The user is informed that a permission is being requested and by whom.
The permission is explained in plain language — what data is accessed, how it's used.
What happens if you grant this. What happens if you deny it. Both paths shown.
Are there less invasive options? Can the site function without this permission?
This permission can be revoked at any time. Here's exactly how.
How long does this permission last? This session only? Until revoked? A fixed time?
Does this apply to this page only, this domain, or all domains?
This decision is logged in the consent audit trail. You can review it anytime.
The user explicitly affirms: "I consent to this permission under these terms."
The network-layer consent protocol. Nine independently consentable and revocable layers, each bound to a node UID with optional cryptographic signing. Coming in Phase 6.
Each layer is independently consentable and revocable. Bound to node UID with optional Trinity Key signing. Full protocol documentation available in the FlameNet Consent Layers v3.0 scroll.
Key decisions documented as the project evolves.
Why Servo for rendering and iced for UI. No Chromium, no Electron, no compromise on the Rust-native stack.
Cargo workspace layout. Nine crates with clear boundaries: UI, shell, consent, sovereignty, security, transparency, intelligence, voice, app.
The phased build plan from Gate (Phase 0) through Deep Network (Phase 8). Each phase is a complete layer of sovereignty.