The Copperhead/GrapheneOS patches add page sanitization to 3.10, 3.18, 4.4, and 4.9 kernels when possible. slub_debug=FZP is available for all others.
You’re just sticking in flags that are NOPs
All of those kernel flags are set to support all devices, whether or not the device kernel actually supports the feature.
And why tuna specifically?
It isn’t possible to run mainline on all of these last I checked.
The patch to updater
That is localhost, you run the update server from your phone?
You can check the current glassrom kernel sources for those patches. There’s no automated “black magic” cve patcher
Linux only has ~2500 CVEs to date. Even if you multiply that by 10x, how do you get 63,000 vulnerabilities that you patch?
I kindly encourage you to please take the time to go through the DivestOS sources, use it in the FOSS spirit and ultimately improve your project with it.