| I’ve been working on an open-source project called Ephemeral-First Security (EFSF). The core idea is to treat expiration as a first-class security primitive rather than relying only on long-lived secrets + revocation. The project provides small SDKs (TypeScript, Python, Java) for building systems where identities, credentials, sessions, and access artifacts are time-bound by default and automatically invalidated. This grew out of building a privacy-focused ephemeral browsing system, where we found that deletion + forced teardown often reduced risk more effectively than encryption alone in certain threat models. Current features focus on:
-Explicit TTL semantics for security artifacts
-Deterministic expiration and teardown hooks
-Language-agnostic design (same model across TS / Python / JVM)
-Alignment with common threat-modeling practices (short blast radius, no silent persistence) Repos / packages:
GitHub: https://github.com/akshat666/ephemeral-first-security-framew...
npm: https://www.npmjs.com/package/@efsf/typescript
PyPI: https://pypi.org/project/efsf/ This is early but stable. I’d really appreciate feedback on:
-Whether “ephemeral-first” is a useful abstraction in real systems
-Where this breaks down in practice
-What you’d want to see to adopt something like this Happy to answer questions or discuss trade-offs. |