Epic 4/5: Secure-by-default profiles + minimize attack surface

Profile system with three named profiles controlling service activation,
network stance, and agent mode:
- offline_private (default): no network, core services only
- research: Tor-routed web search, airlock enabled
- full_lab: all services including diffusion path unit

Design:
- Profile definitions baked in appliance.yaml (immutable)
- Active selection stored in /var/lib/secure-ai/state/profile.json
  (root:root 0644, atomic writes, corrupted → falls back to offline_private)
- Operator override at /etc/secure-ai/local.d/profile.yaml is a hard lock
  that disables UI profile changes (403)
- Privilege boundary: UI writes request file, systemd path unit triggers
  privileged apply-profile.sh oneshot (same pattern as diffusion activation)
- Transactional: apply → validate → rollback-on-failure
- Audit entries for all profile changes

Attack surface minimization (Epic 5):
- Moved secure-ai-enable-diffusion.path from enabled to disabled in recipe.yml
  (only activated by full_lab profile via apply-profile.sh)
- Airlock, tor, searxng, search-mediator already disabled by default

UI changes:
- Profile badge in topbar (green/yellow/accent by profile)
- Profile selection step in setup wizard (Step 1)
- Profile API: GET /api/profile, POST /api/profile/preview,
  POST /api/profile/select, GET /api/profile/status

Tests: 32 new tests in test_profile_system.py covering definitions,
service-unit mapping, agent safety in offline_private, apply-profile.sh
structure, systemd units, API endpoints, and recipe integration.

Also fixes: CI image-ref-consistency job self-exclusion for string literals.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SecAI-Hub

.github/workflows/ci.yml

@@ -183,10 +183,16 @@ jobs:
 
           ERRORS=0
           for pattern in "${WRONG_PATTERNS[@]}"; do
+            # Exclude files that legitimately contain wrong patterns as string
+            # literals for detection purposes (this CI job + the consistency test)
             MATCHES=$(grep -rn \
               --include='*.sh' --include='*.py' --include='*.yaml' \
               --include='*.yml' --include='*.md' --include='*.json' \
-              "$pattern" . 2>/dev/null | grep -v '.git/' | grep -v 'node_modules/' || true)
+              --exclude='ci.yml' \
+              --exclude='test_image_ref_consistency.py' \
+              "$pattern" . 2>/dev/null \
+              | grep -v '.git/' | grep -v 'node_modules/' \
+              || true)
             if [ -n "$MATCHES" ]; then
               echo "::error::Found wrong image reference '$pattern':"
               echo "$MATCHES"

files/system/etc/secure-ai/config/appliance.yaml

@@ -209,3 +209,130 @@ logging:
   store_raw_prompts: false
   store_raw_responses: false
   audit_tool_calls: true
+
+# ---------------------------------------------------------------------------
+# Runtime profiles — control which optional services are active and the
+# network/agent posture.  Profile DEFINITIONS are baked into the image
+# (immutable).  The active selection lives in the writable runtime state
+# at /var/lib/secure-ai/state/profile.json (root:root 0644, atomic writes).
+#
+# An operator can hard-lock the profile by placing a file at
+# /etc/secure-ai/local.d/profile.yaml — when present it overrides the
+# runtime state and disables UI profile changes (403).
+#
+# On missing/malformed/invalid profile.json the system falls back to
+# offline_private (safest default) and emits an audit alert.
+# ---------------------------------------------------------------------------
+profile:
+  # Default profile for new installs (used when no profile.json exists)
+  default: "offline_private"
+
+  definitions:
+    offline_private:
+      description: "Maximum isolation — no network, core services only"
+      mode: "local-only"
+      session_mode: "offline-only"
+      agent_mode: "offline_only"
+      rationale: >
+        Agent remains active in offline_only mode because it provides useful
+        local automation (file management, workspace tasks) with no network
+        access, hard budget limits, and loopback-only IPC.  The agent service
+        unit uses PrivateNetwork=yes and the nftables rules block all egress.
+        policy.yaml network.runtime_egress=deny cannot be overridden by agent
+        mode.  This is verified by test_profile_system.py.
+      services_enabled:
+        # Tier 1: Security infrastructure (always on)
+        - secure-ai-runtime-attestor.service
+        - secure-ai-integrity-monitor.service
+        - secure-ai-incident-recorder.service
+        - secure-ai-policy-engine.service
+        - secure-ai-boot-verify.service
+        - secure-ai-vault-watchdog.service
+        - secure-ai-health-check.service
+        - secure-ai-gpu-integrity-watch.service
+        - secure-ai-mcp-firewall.service
+        # Tier 2: Core function
+        - secure-ai-ui.service
+        - secure-ai-registry.service
+        - secure-ai-tool-firewall.service
+        - secure-ai-agent.service
+        - secure-ai-quarantine-watcher.service
+        - secure-ai-inference.service
+      services_disabled:
+        - secure-ai-diffusion.service
+        - secure-ai-enable-diffusion.path
+        - secure-ai-airlock.service
+        - secure-ai-tor.service
+        - secure-ai-searxng.service
+        - secure-ai-search-mediator.service
+
+    research:
+      description: "Privacy-preserving research — Tor-routed web search"
+      mode: "online-augmented"
+      session_mode: "normal"
+      agent_mode: "online_assisted"
+      rationale: >
+        Enables the search stack (SearXNG + Tor + search-mediator) and the
+        airlock for filtered outbound access.  All web traffic is Tor-routed
+        with PII stripping and differential privacy (decoy queries).  Agent
+        can use search-assisted tools but only through the airlock.
+      services_enabled:
+        # Everything from offline_private plus search/airlock stack
+        - secure-ai-runtime-attestor.service
+        - secure-ai-integrity-monitor.service
+        - secure-ai-incident-recorder.service
+        - secure-ai-policy-engine.service
+        - secure-ai-boot-verify.service
+        - secure-ai-vault-watchdog.service
+        - secure-ai-health-check.service
+        - secure-ai-gpu-integrity-watch.service
+        - secure-ai-mcp-firewall.service
+        - secure-ai-ui.service
+        - secure-ai-registry.service
+        - secure-ai-tool-firewall.service
+        - secure-ai-agent.service
+        - secure-ai-quarantine-watcher.service
+        - secure-ai-inference.service
+        - secure-ai-airlock.service
+        - secure-ai-tor.service
+        - secure-ai-searxng.service
+        - secure-ai-search-mediator.service
+      services_disabled:
+        - secure-ai-diffusion.service
+        - secure-ai-enable-diffusion.path
+
+    full_lab:
+      description: "Full capability lab — all services available"
+      mode: "online-augmented"
+      session_mode: "normal"
+      agent_mode: "standard"
+      rationale: >
+        All services enabled including diffusion activation path unit and
+        the full search/airlock stack.  Network traffic is filtered through
+        the airlock (not direct).  Suitable for evaluation, research, and
+        model testing where maximum capability is needed.
+      services_enabled:
+        # All services
+        - secure-ai-runtime-attestor.service
+        - secure-ai-integrity-monitor.service
+        - secure-ai-incident-recorder.service
+        - secure-ai-policy-engine.service
+        - secure-ai-boot-verify.service
+        - secure-ai-vault-watchdog.service
+        - secure-ai-health-check.service
+        - secure-ai-gpu-integrity-watch.service
+        - secure-ai-mcp-firewall.service
+        - secure-ai-ui.service
+        - secure-ai-registry.service
+        - secure-ai-tool-firewall.service
+        - secure-ai-agent.service
+        - secure-ai-quarantine-watcher.service
+        - secure-ai-inference.service
+        - secure-ai-airlock.service
+        - secure-ai-tor.service
+        - secure-ai-searxng.service
+        - secure-ai-search-mediator.service
+        - secure-ai-enable-diffusion.path
+      services_disabled:
+        # Diffusion worker itself stays disabled — activated on-demand via path unit
+        - secure-ai-diffusion.service

files/system/usr/lib/systemd/system/secure-ai-apply-profile.path

@@ -0,0 +1,8 @@
+[Unit]
+Description=Watch for profile change request from UI
+
+[Path]
+PathExists=/run/secure-ai-ui/profile-request
+
+[Install]
+WantedBy=multi-user.target

files/system/usr/lib/systemd/system/secure-ai-apply-profile.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=SecAI Profile Applicator (one-shot, privileged)
+After=secure-ai-registry.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/secure-ai/apply-profile.sh
+ExecStopPost=-/bin/rm -f /run/secure-ai-ui/profile-request
+TimeoutStartSec=120
+
+# Hardening — this service needs systemctl access but nothing else exotic
+ProtectHome=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictRealtime=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes