docs(roadmap): Epic B slices B2-B7 — classify/attest/adopt/govern/macOS/Windows plans#127
Draft
gnanirahulnutakki wants to merge 1 commit into
Draft
docs(roadmap): Epic B slices B2-B7 — classify/attest/adopt/govern/macOS/Windows plans#127gnanirahulnutakki wants to merge 1 commit into
gnanirahulnutakki wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Planning document only — no code changed, no work authorized. Adds
docs/roadmap/epic-b-b2-b7-slice-plans.md, the file-level build plans for the remaining Epic B slices after B1.Grounded in the merged Epic B docs — slice plan (#114), policy-selection research (#116, the AG-0…AG-4 ladder + binding registry + two-claim verifier + deltas D1–D7), cost/reliability SLOs (#117) — the B1 detail (#120), and the current code (
es_client_darwin.go,passport.py,bpf_lower.py,run_bridge.py,enforce_receipt_chain.go). No dedicated Linux-fingerprinting or macOS/Windows research doc is merged/open, so B2's fingerprint design and B6/B7 are built from the roadmap §2.2/§2.3 + #106 + #117's evasion taxonomy, with a note to reconcile if those land.Invariants carried through all six slices
Provenance passport ≠ mission grant ·
INSUFFICIENT_EVIDENCEfor intent, neverCOMPLIANT· observe-first, enforce only on an operator declaration, fail-safe = observe · loud-abort inversion (auto can't kill what it didn't start → fall to shadow) · every fail-safe is a measured event.Slice-by-slice
agent_classifier.py+ labeled corpus + fingerprint table (single source of truth as data, thin Go evaluator in the daemon). Static multi-signal (basename+hash+argv); interpreter hole measured via Land the live Linux eBPF capture daemon + emit the observability-gap metric #39, not closed. Gates: SLO-5 (precision ≥0.99, =1.00 on node/python/git/bash), SLO-7 (recall ≥0.95). Observe-only.provenance_passport.py— host-key-signed observation credential, schema-distinct fromMissionPassport; verifierProvenanceNotAMissionErrorreject +mission_compliance=INSUFFICIENT_EVIDENCE(Invariants 1–2 as tested exceptions); folds into the feat(enforce): sequence, hash-chain, and attest kernel enforce_events (Epic A E3) #100 hash chain;binding_strength: "process"(weaker than PoP, stated honestly). Observe-only.adopt_cgroup_linux.go— migrate a running process tree into a managed cgroup via a bounded reconciliation sweep; un-adoptable → observe-only, loudly; no security(enforce): concurrent apply_policy races the double-buffer active_slot swap (CWE-362) #110 race; applies no policy. Newadopt-smokeCI.agent_bindings.py(TOML registry, load-time dry-run lowering, ambiguity-resolves-downward),synthesized_mission.py(AG-2 shadow,SynthesizedMissionEnforceError), two-claim verifier (class_policy_compliancevsmission_compliance),auto_govern.go(reuses apply_policy feat(run): wire apply_policy — lowered BPF plans reach the kernelcapture daemon #96 verbatim; loud-abort inversion). Hard deps: [A] E4 — seccomp user-notify enforcement tier for bpf_lower's tier2_ops #104 (seccomp tier-2) + [A] Reconcile bpf_lower.py file-op ACT_ALLOWLIST lowering with guard_file_open's fail-closed LPM restriction #105 (file-op reconcile); trustworthiness leans on enforce: fail-open if the BPF-LSM guard consumer dies after startup — activeTier stays bpf_lsm, guard detached #121/enforce: BPF-LSM guard is unpinned — daemon restart drops all enforcement with no re-apply mechanism #124. Implements deltas D1–D7 (D4 deferrable). Gates SLO-6. Newauto-govern-smokee2e.es_client_darwin.go(cgo,es_new_client+ NOTIFY_EXEC) → reuse B2/B3; enforce tier = ESF AUTH + Network Extension (coarser, per-audit-token, no cgroup). NOTIFY-detect only (SLO-8), AUTH reserved for enforce (p99 ≤5ms, fail-open-to-observe). Hard dep [A] Slice 2 remainder — macOS launchd packaging + ES System Extension + Apple ES entitlement filing #106 Apple entitlement — file at B1 start (external lead time). CI limit stated honestly: hosted macOS runners can't load a System Extension → live proof is self-hosted/signed-Mac.etw_source_windows.go(Kernel-Process provider) → reuse B2/B3. Detect + attest only; no enforcement (needs a driver track — out of scope), documented plainly. Ordered after B6 per [A] Windows: process detection (future) #71. Hostedwindows-latestCI works (no driver).Critical path to the first no-wrapper enforcement demo
B1 → B2 → B3 → B4 → B5, with #104 + #105 before B5. B4 parallels B2/B3. B5 is the join and the first slice that enforces on an un-wrapped agent (
auto-govern-smoke). Off the path: #106 (start the Apple filing at B1 kickoff — lead time, not code, gates B6) and #121/#124 (recommended before AG-3 enforce GA; AG-2 shadow default doesn't need them). Before B5: an ADR on the honest enforcement ceiling of a proxy-less agent (AG-3 "enforced" is a weaker claim than wrapped--enforce— shapes the headline, AuditBench, and paper-lane narrative).