SecAI-Hub
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 35 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 3 deletions b/‎README.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎docs/m5-control-matrix.md‎
Lines changed: 91 additions & 0 deletions b/‎docs/m5-control-matrix.md‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎docs/security-status.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/security-status.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/supply-chain-provenance.md‎
Lines changed: 74 additions & 0 deletions b/‎docs/supply-chain-provenance.md‎
Lines changed: 74 additions & 0 deletions
@@ -74,6 +74,7 @@ jobs:
           python -m py_compile services/agent/agent/executor.py
           python -m py_compile services/agent/agent/storage.py
           python -m py_compile services/agent/agent/capabilities.py
+          python -m py_compile services/agent/agent/sandbox.py
 
       - name: Test
         run: python -m pytest tests/ -v
@@ -199,3 +200,37 @@ jobs:
           done
 
           echo "=== Supply chain verification passed ==="
+
+  security-regression:
+    name: Security Regression Tests
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+
+      - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version: "1.23"
+
+      - name: Install Python dependencies
+        run: pip install pyyaml flask requests pytest
+
+      - name: Run adversarial Python tests
+        run: python -m pytest tests/test_adversarial.py -v --tb=short
+
+      - name: Run MCP firewall adversarial tests
+        working-directory: services/mcp-firewall
+        run: go test -v -race -run TestAdversarial ./...
+
+      - name: Run policy-engine adversarial tests
+        working-directory: services/policy-engine
+        run: go test -v -race -run TestAdversarial ./...
+
+      - name: Run incident-recorder recovery tests
+        working-directory: services/incident-recorder
+        run: go test -v -race -run "TestRecovery|TestEscalation|TestForensic|TestLatched" ./...
@@ -150,7 +150,7 @@ Every model passes through the same fully automatic pipeline:
 | **Updates** | Cosign-verified rpm-ostree, staged workflow, greenboot auto-rollback |
 | **Supply Chain** | Per-service CycloneDX SBOMs, SLSA3 provenance attestation, cosign-signed checksums |
 
-See [docs/threat-model.md](docs/threat-model.md) for threat classes, residual risks, and security invariants. See [docs/security-status.md](docs/security-status.md) for implementation status of all 42 milestones.
+See [docs/threat-model.md](docs/threat-model.md) for threat classes, residual risks, and security invariants. See [docs/security-status.md](docs/security-status.md) for implementation status of all 43 milestones.
 
 ### Verify Image Signatures
 
@@ -200,7 +200,7 @@ See [docs/policy-schema.md](docs/policy-schema.md) for full schema reference. Se
 | [Threat Model](docs/threat-model.md) | Threat classes, invariants, residual risks |
 | [API Reference](docs/api.md) | HTTP API for all services |
 | [Policy Schema](docs/policy-schema.md) | Full policy.yaml schema reference |
-| [Security Status](docs/security-status.md) | Implementation status of all 42 milestones |
+| [Security Status](docs/security-status.md) | Implementation status of all 43 milestones |
 | [Test Matrix](docs/test-matrix.md) | Test coverage: 1000+ tests across Go, Python, shell |
 | [Compatibility Matrix](docs/compatibility-matrix.md) | GPU, VM, and hardware support |
 | [Security Test Matrix](docs/security-test-matrix.md) | Security feature test coverage |
@@ -224,6 +224,8 @@ See [docs/policy-schema.md](docs/policy-schema.md) for full schema reference. Se
 | [Runtime Attestor](docs/components/runtime-attestor.md) | TPM2 attestation and startup gating |
 | [Integrity Monitor](docs/components/integrity-monitor.md) | Continuous file integrity verification |
 | [Incident Recorder](docs/components/incident-recorder.md) | Security event capture and auto-containment |
+| [M5 Control Matrix](docs/m5-control-matrix.md) | M5 acceptance criteria, enforcement paths, operator verification |
+| [Supply Chain Provenance](docs/supply-chain-provenance.md) | Provenance pipeline, SBOM coverage, key material |
 
 ### Install Guides
 
@@ -327,7 +329,7 @@ See [docs/test-matrix.md](docs/test-matrix.md) for full breakdown.
 ## Roadmap
 
 <details>
-<summary>All 42 milestones (click to expand)</summary>
+<summary>All 43 milestones (click to expand)</summary>
 
 - [x] **M0** -- Threat model, dataflow, invariants, policy files
 - [x] **M1** -- Bootable OS, encrypted vault, GPU drivers
@@ -372,6 +374,7 @@ See [docs/test-matrix.md](docs/test-matrix.md) for full breakdown.
 - [x] **M40** -- Agent verified supervisor hardening (signed tokens, replay protection, two-phase approval)
 - [x] **M41** -- HSM-backed key handling (pluggable keystore: software/TPM2/PKCS#11)
 - [x] **M42** -- Enforcement wiring + CI supply chain verification
+- [x] **M43** -- Stronger isolation: sandbox tightening, adversarial tests, CI security regression, MCP isolation, recovery ceremonies, M5 acceptance suite
 
 </details>
 
 
@@ -0,0 +1,91 @@
+# M5 Control Matrix — Stronger Isolation Acceptance Criteria
+
+This matrix maps each M5 security control to its enforcing component, failure mode, test coverage, and audit evidence. A reviewer or operator can use this matrix to verify that every claimed control is actually implemented, tested, and observable.
+
+Last updated: 2026-03-14
+
+## Control Matrix
+
+| # | Control | Enforcing Component | Failure Mode | Test Covering It | Audit Evidence |
+|---|---------|-------------------|--------------|-----------------|----------------|
+| 1 | Startup gating via TPM2 attestation | Runtime Attestor (:8505) | Service refuses to start; reports `attestation_failure` to Incident Recorder | `TestAttest_BadTPMState`, `TestChain_AttestationFailure_ContainmentDispatched` | `incident-recorder-audit.jsonl` entry class=attestation_failure |
+| 2 | Continuous file integrity monitoring | Integrity Monitor (:8510) | State transitions to `degraded`; reports violations to Incident Recorder | `TestScan_BaselineMismatch`, `TestChain_IntegrityViolation_FreezeAndDisable` | Baseline scan results + incident report with file paths/hashes |
+| 3 | Auto-containment on integrity violation | Incident Recorder (:8515) | freeze_agent + disable_airlock + force_vault_relock dispatched | `TestChain_IntegrityViolation_FreezeAndDisable`, `TestExecuteContainment_FreezeAgent` | Containment dispatch logs + target service acknowledgment |
+| 4 | Auto-containment on attestation failure | Incident Recorder (:8515) | freeze_agent + disable_airlock + force_vault_relock dispatched | `TestChain_AttestationFailure_ContainmentDispatched` | Incident record with state=contained |
+| 5 | Model quarantine on manifest mismatch | Incident Recorder (:8515) → Registry (:8470) | quarantine_model + freeze_agent dispatched | `TestChain_ManifestMismatch_QuarantinesModel` | POST to /api/v1/quarantine with model_path |
+| 6 | GPU runtime integrity verification | GPU Integrity Watch (:8495) | Warning/critical verdict triggers incident report | `TestProbe_DriverFingerprint`, `TestChain_GPUAnomaly_IncidentAndQuarantine` | GPU probe results + incident class=model_behavior_anomaly |
+| 7 | Centralised policy decisions (6 domains) | Policy Engine (:8500) | Allow/deny with structured evidence | `TestDecide_ToolAccess_*`, `TestDecide_AgentRisk_*` (37 tests) | PolicyDecision JSON with decision, reason, evidence |
+| 8 | Deny-by-default tool firewall | Tool Firewall (:8475) | Unknown tools denied | `TestEvaluate_*` (10 tests) | Audit log with tool name + decision |
+| 9 | Deny-by-default MCP firewall | MCP Firewall (:8496) | Unknown servers/tools denied; taint propagation; input redaction | `TestEvaluate_*`, `TestAdversarial_*` (44+ tests) | Hash-chained audit log + signed decision receipts |
+| 10 | HMAC-signed capability tokens | Agent (:8476) capabilities.py | Token verification: expiry, nonce replay, HMAC signature | `TestTokenSigning`, `test_stale_capability_token_rejected`, `test_replayed_capability_token_rejected` | Token ID in agent-audit.jsonl per step |
+| 11 | Two-phase approval for high-risk actions | Agent (:8476) policy.py | TRUST_CHANGE, EXPORT_DATA, WIDEN_SCOPE etc. always escalated to "ask" | `test_two_phase_actions_require_approval` | PolicyDecision with decision=ask for TWO_PHASE_ACTIONS |
+| 12 | Step signature validation | Agent sandbox.py | Step modified between planning and execution is rejected | `test_signed_step_verifies`, `test_tampered_step_fails_verification` | Step signature in audit trail |
+| 13 | Per-step capability re-validation | Agent sandbox.py | Path/tool/scope mutations caught at execution time | `test_path_mutation_caught_at_execution`, `test_tool_mutation_caught_at_execution` | Re-validation check in executor log |
+| 14 | Workspace hard walls | Agent sandbox.py WorkspaceGuard | Symlink escape, cross-workspace FD reuse, hardlink tricks detected | `test_symlink_traversal_blocked`, `test_workspace_id_spoofing_blocked` | Workspace violation log entry |
+| 15 | Storage gateway blocked paths | Agent storage.py | /etc/shadow, /etc/passwd, policy files, service tokens always blocked | `test_shadow_file_blocked`, `test_service_token_blocked` | Storage gateway deny in audit log |
+| 16 | Sensitivity ceiling enforcement | Agent policy.py + storage.py | Files exceeding sensitivity ceiling are blocked | `TestSensitivity_*` | Sensitivity classification in read result |
+| 17 | Recovery ceremony after containment | Incident Recorder recovery.go | Require ack + re-attestation before returning to trusted mode | `TestRecovery_CriticalRequiresReattestation` | Recovery requirement record with ack/reattest timestamps |
+| 18 | Latched degraded states | Incident Recorder recovery.go | attestation_failure, integrity_violation, unauthorized_access, manifest_mismatch remain latched | `TestLatchedClasses` | Incident state remains until manual review |
+| 19 | Severity escalation | Incident Recorder recovery.go | Repeated medium-severity events escalate per rules | `TestEscalation_RepeatedPromptInjection` | Escalated severity in incident record |
+| 20 | Forensic bundle export | Incident Recorder recovery.go | Signed export of incidents, audit, state, policy digest | `TestForensicBundle_ExportAndVerify`, `TestForensicBundle_TamperDetection` | Forensic bundle JSON with HMAC signature |
+| 21 | Service token propagation | Incident Recorder containment.go | Bearer token included in all containment HTTP calls | `TestChain_BearerToken_PropagatedToContainment` | Authorization header in containment requests |
+| 22 | HSM/TPM2 key management | Agent keystore.py | Software/TPM2/PKCS#11 backends with auto-detection | `TestKeystore_*` (31 tests) | Keystore provider name in agent startup log |
+| 23 | Prompt injection detection | MCP Firewall global rules | Shell metacharacters and prompt patterns detected and denied | `TestAdversarial_MalformedMCPPayload` | Global rule match in audit log |
+| 24 | MCP taint tracking | MCP Firewall taint.go | Session-scoped taint propagation prevents data flow violations | `TestAdversarial_TaintBypassAttempt`, `TestTaint_*` | Taint entries per session ID |
+| 25 | SBOM generation verification | CI supply-chain-verify job | Syft generates SBOMs for all services | CI workflow step output | CycloneDX SBOM artifacts |
+| 26 | Release provenance attestation | Release workflow (release.yml) | cosign attest with SLSA3 provenance | CI workflow attestation step | Signed provenance attestation |
+
+## End-to-End Enforcement Paths
+
+### Path 1: Bad Attestation → Service Startup Blocked
+```
+Runtime Attestor detects TPM2 quote mismatch
+  → State transitions to "failed"
+  → POST to Incident Recorder: class=attestation_failure, severity=critical
+  → Incident Recorder creates incident with auto-containment
+  → Containment: freeze_agent + disable_airlock + force_vault_relock
+  → Recovery: requires operator ack + re-attestation ceremony
+```
+**Test:** `TestChain_AttestationFailure_ContainmentDispatched`
+
+### Path 2: Baseline Mismatch → Degraded → Incident → Containment
+```
+Integrity Monitor detects file hash mismatch
+  → State transitions to "degraded"
+  → POST to Incident Recorder: class=integrity_violation, severity=high
+  → Incident Recorder creates incident with auto-containment
+  → Containment: freeze_agent + disable_airlock + force_vault_relock
+  → State latched until manual review
+```
+**Test:** `TestChain_IntegrityViolation_FreezeAndDisable`
+
+### Path 3: High-Risk Agent Action → Two-Phase Approval
+```
+Agent planner proposes TRUST_CHANGE step
+  → Policy engine evaluate_with_evidence: decision="ask"
+  → Step remains PENDING until user approves via /v1/task/<id>/approve
+  → On approval: token re-verified, step signature re-checked
+  → Executor re-validates capability before execution
+```
+**Test:** `test_two_phase_actions_require_approval`
+
+### Path 4: MCP Request with Tainted Input → Deny/Sanitize
+```
+MCP Firewall receives request from tainted session
+  → TaintState checked for session: external-data label found
+  → TaintRule "no-external-to-write" matches target tool
+  → Decision: deny with reason "taint rule violation"
+  → Audit entry with taint evidence
+```
+**Test:** `TestAdversarial_TaintBypassAttempt`
+
+## Operator Verification
+
+An operator can verify the enforcement chain is active by:
+
+1. **Check service health:** `curl http://localhost:8515/health` — incident recorder reports open incident count
+2. **Check recovery status:** `curl http://localhost:8515/api/v1/recovery/status` — pending recovery ceremonies
+3. **Export forensic bundle:** `curl http://localhost:8515/api/v1/forensic/export` — signed evidence package
+4. **Check attestation state:** `curl http://localhost:8505/api/v1/state` — current attestation status
+5. **Check integrity state:** `curl http://localhost:8510/api/v1/state` — current integrity baseline status
+6. **Verify audit chain:** `curl http://localhost:8496/v1/audit/verify` — MCP firewall audit chain integrity
@@ -2,7 +2,7 @@
 
 This document tracks the implementation status of all security features in SecAI_OS.
 
-Last updated: 2026-03-14
+Last updated: 2026-03-15
 
 ## Implemented Features
 
@@ -51,11 +51,11 @@ Last updated: 2026-03-14
 | Agent Verified Supervisor hardening | Implemented | M40 | HMAC-SHA256 signed capability tokens bound to task/intent/policy, nonce replay protection, token expiry, two-phase approval for high-risk actions, per-step PolicyDecision evidence in audit trail, 128 agent tests (up from 93) |
 | HSM-backed key handling | Implemented | M41 | Keystore abstraction layer with pluggable backends (software/TPM2/PKCS#11), key rotation, PCR-sealed TPM2 key hierarchy, PKCS#11 HSM stub for external hardware, auto-detection of available backends, keystore.yaml config, 159 agent tests (up from 128) |
 | Enforcement wiring + CI supply chain verification | Implemented | M42 | Integrity monitor → incident recorder reporting, runtime attestor → incident recorder reporting, incident recorder → containment action execution (freeze agent, disable airlock, force vault relock, quarantine model), CI SBOM generation verification via Syft, cosign availability check, release workflow provenance validation |
+| Stronger isolation (M5 hardening) | Implemented | M43 | Per-service sandbox tightening (device cgroups, resource limits, namespace isolation), agent execution compartmentalization (step signatures, subprocess isolation, per-step capability re-validation), workspace hard walls (symlink/hardlink/FD-reuse detection), model worker isolation profiles, formal adversarial test suite (prompt injection, policy bypass, containment, GPU tamper), CI security regression gate, MCP-specific isolation (trust tier enforcement, per-tool profiles, session binding, dynamic registration denial), recovery ceremony (ack + re-attestation), latched degraded states, severity escalation rules, forensic bundle export (signed), M5 control matrix doc, supply chain provenance doc, M5 acceptance suite (30 tests) |
 
 ## Planned Features
 
 | Feature | Status | Notes |
 |---------|--------|-------|
 | Agent Mode Phase 2: Explainability | Planned | Detailed explanations for quarantine/registry/airlock decisions, per-workspace permissions, audit views |
 | Agent Mode Phase 3: Online-assisted | Planned | Airlock-mediated outbound, search mediation, redaction flows, approval UX for online steps |
-| Agent Mode Phase 4: Stronger isolation | Planned | Adversarial testing, additional sandboxing profiles, policy bypass regression tests |
@@ -0,0 +1,74 @@
+# Supply Chain & Provenance Architecture
+
+This document describes which workflow is the source of truth for each stage of the SecAI OS supply chain: image builds, release artifacts, SBOM generation, provenance attestation, and verification before install/update.
+
+Last updated: 2026-03-14
+
+## Workflow Responsibilities
+
+| Stage | Source of Truth | Workflow File | Trigger |
+|-------|----------------|---------------|---------|
+| **OS Image Builds** | `build.yml` | `.github/workflows/build.yml` | Push to main, daily schedule (06:00), manual dispatch |
+| **Release Artifacts** | `release.yml` | `.github/workflows/release.yml` | Tag push (`v*`), manual dispatch |
+| **CI Tests** | `ci.yml` | `.github/workflows/ci.yml` | Push to main, PRs, manual dispatch |
+| **Image SBOM** | `build.yml` | `.github/workflows/build.yml` | After image build (non-PR only) |
+| **Service SBOMs** | `release.yml` | `.github/workflows/release.yml` | At release time |
+| **Provenance Attestation** | `release.yml` | `.github/workflows/release.yml` | At release time |
+| **Signing** | `build.yml` + `release.yml` | Both | cosign with `SIGNING_SECRET` |
+| **Verification** | `ci.yml` (supply-chain-verify job) | `.github/workflows/ci.yml` | Every CI run |
+
+## Provenance Pipeline
+
+```
+build → attest → sign → verify → promote
+```
+
+### 1. Build (build.yml)
+- BlueBuild action builds the OS image from `recipes/recipe.yml`
+- Image published to `ghcr.io/sec_ai/secai_os`
+- cosign signs the image using `SIGNING_SECRET`
+
+### 2. Attest (build.yml + release.yml)
+- **Image SBOM:** `anchore/sbom-action` generates CycloneDX JSON SBOM for the OS image
+- **SBOM Attestation:** `cosign attest --type cyclonedx` creates a signed attestation binding the SBOM to the image
+- **Service SBOMs:** Syft generates per-service CycloneDX SBOMs at release time
+- **SLSA3 Provenance:** `actions/attest-build-provenance` generates GitHub-native SLSA3 provenance attestation
+
+### 3. Sign (build.yml + release.yml)
+- All images signed with cosign + `SIGNING_SECRET`
+- Release checksums (SHA256SUMS) signed with cosign
+- SBOM attestations signed with cosign private key
+
+### 4. Verify (ci.yml)
+The `supply-chain-verify` CI job validates:
+- Syft can generate SBOMs for all Go and Python services
+- cosign is available and functional
+- `release.yml` contains required provenance keywords: `sbom-action`, `attest-build-provenance`, `cosign`, `cyclonedx`, `SHA256SUMS`
+- `build.yml` contains required SBOM keywords: `sbom-action`, `cosign attest`, `cyclonedx`
+
+### 5. Promote (runtime)
+- At boot, the Runtime Attestor (:8505) verifies the measured boot chain
+- rpm-ostree atomic updates ensure image integrity
+- Greenboot health checks verify post-boot system state
+
+## Key Material
+
+| Key | Purpose | Storage | Rotation |
+|-----|---------|---------|----------|
+| `SIGNING_SECRET` | cosign image + SBOM signing | GitHub encrypted secret | Manual rotation |
+| HMAC signing key | Capability token + audit chain signing | Keystore (software/TPM2/HSM) | Auto-rotation via keystore |
+| TPM2 sealed keys | Vault encryption, attestation | TPM2 PCR-sealed | PCR policy change triggers re-seal |
+
+## SBOM Coverage
+
+| Component | Generator | Format | When |
+|-----------|-----------|--------|------|
+| OS image | anchore/sbom-action | CycloneDX JSON | build.yml (non-PR) |
+| Go services (9) | Syft | CycloneDX JSON | release.yml + ci.yml verification |
+| Python services (6) | Syft | CycloneDX JSON | release.yml + ci.yml verification |
+
+### Go Services
+airlock, registry, tool-firewall, gpu-integrity-watch, mcp-firewall, policy-engine, runtime-attestor, integrity-monitor, incident-recorder
+
+### Python Services
+agent, ui, quarantine, common, diffusion-worker, search-mediator