SecAI-Hub
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 154 additions & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 154 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 1 deletion b/‎README.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎docs/components/gpu-integrity-watch.md‎
Lines changed: 162 additions & 0 deletions b/‎docs/components/gpu-integrity-watch.md‎
Lines changed: 162 additions & 0 deletions
@@ -26,7 +26,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        service: [airlock]
+        service: [airlock, registry, tool-firewall, gpu-integrity-watch, mcp-firewall, policy-engine, runtime-attestor, integrity-monitor, incident-recorder]
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
 
@@ -0,0 +1,154 @@
+name: Release
+
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: "Dry run (skip publish)"
+        type: boolean
+        default: false
+
+concurrency:
+  group: release-${{ github.ref }}
+  cancel-in-progress: false
+
+permissions:
+  contents: write
+  packages: write
+  id-token: write
+  attestations: write
+
+jobs:
+  build-go:
+    name: Build Go Services
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        service: [airlock, registry, tool-firewall, gpu-integrity-watch, mcp-firewall, policy-engine, runtime-attestor, integrity-monitor, incident-recorder]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: "1.23"
+          cache-dependency-path: services/${{ matrix.service }}/go.sum
+
+      - name: Build (linux/amd64)
+        working-directory: services/${{ matrix.service }}
+        run: |
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+            go build -ldflags="-s -w -X main.version=${{ github.ref_name }}" \
+            -o ../../dist/${{ matrix.service }}-linux-amd64 .
+
+      - name: Build (linux/arm64)
+        working-directory: services/${{ matrix.service }}
+        run: |
+          CGO_ENABLED=0 GOOS=linux GOARCH=arm64 \
+            go build -ldflags="-s -w -X main.version=${{ github.ref_name }}" \
+            -o ../../dist/${{ matrix.service }}-linux-arm64 .
+
+      - name: Generate SBOM (Syft)
+        uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0
+        with:
+          path: services/${{ matrix.service }}
+          format: cyclonedx-json
+          output-file: dist/${{ matrix.service }}-sbom.cdx.json
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@ea165f8d65b6db9a6b7e75b195508afaf57ec3c7 # v4.6.2
+        with:
+          name: go-${{ matrix.service }}
+          path: dist/
+
+  build-python:
+    name: Build Python Service SBOMs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - name: Install Syft
+        run: curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+      - name: Generate Python SBOMs
+        run: |
+          mkdir -p dist
+          for svc in agent ui quarantine common; do
+            if [ -d "services/${svc}" ]; then
+              syft dir:services/${svc} -o cyclonedx-json=dist/${svc}-sbom.cdx.json
+            fi
+          done
+          # Diffusion worker and search mediator
+          for svc in diffusion-worker search-mediator; do
+            if [ -d "services/${svc}" ]; then
+              syft dir:services/${svc} -o cyclonedx-json=dist/${svc}-sbom.cdx.json
+            fi
+          done
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@ea165f8d65b6db9a6b7e75b195508afaf57ec3c7 # v4.6.2
+        with:
+          name: python-sboms
+          path: dist/
+
+  provenance:
+    name: SLSA Provenance & Attestation
+    runs-on: ubuntu-latest
+    needs: [build-go, build-python]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          path: dist/
+          merge-multiple: true
+
+      - name: Generate SHA256 checksums
+        run: |
+          cd dist
+          sha256sum * > SHA256SUMS
+          cat SHA256SUMS
+
+      - name: Sign checksums with cosign
+        run: |
+          cosign sign-blob --yes \
+            --key env://COSIGN_PRIVATE_KEY \
+            --output-signature dist/SHA256SUMS.sig \
+            dist/SHA256SUMS
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-path: "dist/*-linux-*"
+
+      - name: Attest SBOMs
+        run: |
+          for sbom in dist/*-sbom.cdx.json; do
+            service=$(basename "$sbom" -sbom.cdx.json)
+            cosign attest --yes --type cyclonedx \
+              --predicate "$sbom" \
+              --key env://COSIGN_PRIVATE_KEY \
+              ghcr.io/${{ github.repository }}:${{ github.ref_name }}-${service} || \
+              echo "WARN: cosign attest skipped for ${service} (no matching image)"
+          done
+        env:
+          COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }}
+
+      - name: Create GitHub Release
+        if: ${{ !inputs.dry_run }}
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
+        with:
+          files: |
+            dist/*-linux-*
+            dist/*-sbom.cdx.json
+            dist/SHA256SUMS
+            dist/SHA256SUMS.sig
+          generate_release_notes: true
+          fail_on_unmatched_files: false
@@ -89,11 +89,17 @@ journalctl -u secure-ai-quarantine-watcher -f  # watch pipeline
 | Diffusion Worker | 8455 | Python | Image and video generation |
 | Agent | 8476 | Python | Policy-bound local autopilot (deny-by-default, capability tokens) |
 | Quarantine | -- | Python | 7-stage verify, scan, and promote pipeline |
+| GPU Integrity Watch | 8495 | Go | Continuous GPU runtime verification and anomaly detection |
+| MCP Firewall | 8496 | Go | Model Context Protocol policy gateway (default-deny, taint tracking) |
+| Policy Engine | 8500 | Go | Unified policy decision point (6 domains, decision evidence, OPA-upgradeable) |
+| Runtime Attestor | 8505 | Go | TPM2 quote verification, HMAC-signed state bundles, startup gating |
+| Integrity Monitor | 8510 | Go | Continuous baseline-verified file watcher (binaries, policies, models, trust material) |
+| Incident Recorder | 8515 | Go | Security event capture, incident lifecycle, auto-containment |
 | Search Mediator | 8485 | Python | Tor-routed web search with PII stripping |
 | SearXNG | 8888 | Python | Self-hosted metasearch (privacy-respecting engines) |
 | Tor | 9050 | C | Anonymous SOCKS5 proxy |
 
-See [docs/architecture.md](docs/architecture.md) for design decisions and service dependencies. Per-service docs: [registry](docs/components/registry.md) | [tool-firewall](docs/components/tool-firewall.md) | [agent](docs/components/agent.md) | [airlock](docs/components/airlock.md) | [quarantine](docs/components/quarantine.md) | [search-mediator](docs/components/search-mediator.md)
+See [docs/architecture.md](docs/architecture.md) for design decisions and service dependencies. Per-service docs: [registry](docs/components/registry.md) | [tool-firewall](docs/components/tool-firewall.md) | [agent](docs/components/agent.md) | [airlock](docs/components/airlock.md) | [quarantine](docs/components/quarantine.md) | [search-mediator](docs/components/search-mediator.md) | [gpu-integrity-watch](docs/components/gpu-integrity-watch.md) | [mcp-firewall](docs/components/mcp-firewall.md) | [policy-engine](docs/components/policy-engine.md) | [runtime-attestor](docs/components/runtime-attestor.md) | [integrity-monitor](docs/components/integrity-monitor.md) | [incident-recorder](docs/components/incident-recorder.md)
 
 ### 7-Stage Quarantine Pipeline
 
 
@@ -0,0 +1,162 @@
+# GPU Integrity Watch
+
+**Service:** `secure-ai-gpu-integrity-watch.service`
+**Binary:** `/usr/libexec/secure-ai/gpu-integrity-watch`
+**Port:** 8495 (loopback only)
+**Language:** Go
+
+## Purpose
+
+Continuous GPU runtime integrity verification. Monitors the GPU hardware and driver stack to detect tampering, unexpected changes, or anomalies that could compromise model execution trust. Integrates with the runtime attestor and incident recorder for end-to-end GPU security.
+
+## Architecture
+
+GPU Integrity Watch runs as a daemon that periodically probes the GPU subsystem and scores results against a trusted baseline. If the score exceeds a configurable threshold, it triggers degradation actions and reports incidents.
+
+```
++-----------+     +-----------+     +-----------+     +-------------------+
+| Probes    | --> | Scoring   | --> | Actions   | --> | Integrations      |
+| (6 types) |     | (weighted |     | (degrade, |     | - incident-recorder|
+|           |     |  history) |     |  alert,   |     | - runtime-attestor |
+|           |     |           |     |  disable) |     |                   |
++-----------+     +-----------+     +-----------+     +-------------------+
+```
+
+## Probes
+
+| Probe | Type | Default Weight | What It Checks |
+|-------|------|--------|----------------|
+| Tensor Hash | `tensor_hash` | 1.0 | SHA-256 of model files vs baseline |
+| Sentinel Inference | `sentinel_inference` | 1.0 | Known input/output pairs for behavioral consistency |
+| Reference Drift | `reference_drift` | 0.8 | Multi-pass variance detection (corruption signature) |
+| ECC Status | `ecc_status` | 0.6 | GPU memory error counters (nvidia-smi) |
+| Driver Fingerprint | `driver_fingerprint` | 1.0 | GPU driver version + kernel module identity vs baseline |
+| Device Allowlist | `device_allowlist` | 0.8 | GPU device nodes (/dev/dri/*, /dev/nvidia*) vs expected list |
+
+### Verdict Classification
+
+| Composite Score | Verdict |
+|----------------|---------|
+| 0.0 - 0.3 | `healthy` |
+| 0.3 - 0.9 | `warning` |
+| >= 0.9 or any probe `fail` | `critical` |
+
+## Integrations
+
+### Runtime Attestor
+
+The `/v1/attest-state` endpoint returns a `GPUAttestState` summary that the runtime attestor can include in the signed attestation bundle:
+
+```json
+{
+  "timestamp": "2026-03-13T12:00:00Z",
+  "verdict": "healthy",
+  "composite_score": 0.0,
+  "probe_statuses": {"hash": "pass", "driver": "pass"},
+  "driver_version": "565.57.01",
+  "device_nodes": ["/dev/dri/card0", "/dev/dri/renderD128"],
+  "trend": 0.0
+}
+```
+
+### Incident Recorder
+
+On `warning` or `critical` verdicts, GPU Integrity Watch automatically reports incidents to the incident-recorder service (`http://127.0.0.1:8515`). Incident classes are mapped from probe failures:
+
+| Probe Failure | Incident Class | Severity |
+|--------------|----------------|----------|
+| Tensor hash fail | `manifest_mismatch` | critical |
+| ECC uncorrected errors | `integrity_violation` | critical |
+| Driver fingerprint change | `integrity_violation` | high |
+| Device allowlist fail | `integrity_violation` | high |
+| Other anomalies | `model_behavior_anomaly` | high |
+
+## Configuration
+
+- **Profile:** `/etc/secure-ai/gpu-integrity/default-profile.yaml`
+- **Baseline:** `/var/lib/secure-ai/gpu-integrity/baseline.yaml`
+- **Audit log:** `/var/lib/secure-ai/logs/gpu-integrity-audit.jsonl`
+
+### Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `INTEGRITY_PROFILE` | `profiles/default-profile.yaml` | Profile YAML path |
+| `SERVICE_TOKEN` | (none) | Bearer token for protected endpoints |
+| `AUDIT_LOG` | (none) | JSONL audit log path |
+| `INCIDENT_RECORDER_URL` | (from profile) | Override incident-recorder URL |
+
+## CLI Commands
+
+```bash
+gpu-integrity-watch check      # Run probes once, exit 0/1/2
+gpu-integrity-watch watch      # Continuous foreground monitoring
+gpu-integrity-watch daemon     # HTTP daemon + background monitoring
+gpu-integrity-watch baseline   # Capture baseline hashes
+gpu-integrity-watch status     # Query daemon status
+```
+
+## Actions
+
+| Action | Type | Trigger | Effect |
+|--------|------|---------|--------|
+| Alert | `alert` | warning | Send webhook or log alert |
+| Reload | `reload` | warning | Signal inference server to reload model |
+| Quarantine | `quarantine` | critical | Move model files to quarantine directory |
+| Fail Closed | `fail_closed` | critical | Shut down inference server |
+
+## API Endpoints
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| GET | `/health` | No | Liveness check |
+| POST | `/v1/check` | No | Trigger full probe cycle |
+| GET | `/v1/status` | No | Latest verdict, trend, probes, actions |
+| GET | `/v1/history` | No | Score history array |
+| GET | `/v1/metrics` | No | Counter metrics |
+| GET | `/v1/attest-state` | No | GPU attestation state for runtime-attestor |
+| POST | `/v1/baseline` | Token | Recapture baseline from model directory |
+| POST | `/v1/reload` | Token | Reload profile and baseline from disk |
+
+## Systemd Hardening
+
+| Mechanism | Setting |
+|-----------|---------|
+| Dynamic user | `DynamicUser=yes` |
+| Filesystem | `ProtectSystem=strict`, `ProtectHome=yes` |
+| Network | `RestrictAddressFamilies=AF_UNIX AF_INET`, localhost only |
+| Capabilities | `CapabilityBoundingSet=` (empty) |
+| Memory | `MemoryDenyWriteExecute=yes` |
+| Seccomp | Custom seccomp-BPF profile |
+| Landlock | Read: `/etc/secure-ai`, `/sys/class/drm`, `/sys/bus/pci/devices`, `/dev/dri`; Write: `/var/lib/secure-ai/logs`, `/var/lib/secure-ai/gpu-integrity` |
+
+## Test Coverage
+
+81 tests covering:
+- Tensor hash probes (5 tests)
+- Sentinel inference/drift probes (3 tests)
+- ECC status parsing (5 tests)
+- Similarity computation (4 tests)
+- Scoring engine (7 tests)
+- Action execution (5 tests)
+- Integration pipeline (2 tests)
+- HTTP endpoints (10 tests)
+- Token authentication (3 tests)
+- Driver fingerprint probes (5 tests)
+- Device allowlist probes (5 tests)
+- Attestation state building (3 tests)
+- Incident classification (4 tests)
+- New probe integration (2 tests)
+- Scoring with new weights (1 test)
+
+```bash
+cd services/gpu-integrity-watch && go test -v -race ./...
+```
+
+## Related
+
+- [Runtime Attestor](runtime-attestor.md) -- consumes GPU attest-state
+- [Incident Recorder](incident-recorder.md) -- receives GPU integrity incidents
+- [Integrity Monitor](integrity-monitor.md) -- continuous file integrity
+- [Architecture](../architecture.md) -- system design overview
+- [Threat Model](../threat-model.md) -- GPU-related threat classes