Skip to content

dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17

Open
gnanirahulnutakki wants to merge 144 commits into
mainfrom
dev
Open

dev → main: v0.1.0 governance hardening, Phase 2 daemon, e2e showcase, dependabot bumps#17
gnanirahulnutakki wants to merge 144 commits into
mainfrom
dev

Conversation

@gnanirahulnutakki

@gnanirahulnutakki gnanirahulnutakki commented May 26, 2026
edited
Loading

Copy link
Copy Markdown
Member

Summary

Promotes dev to main with 81 commits. This is the full v0.1.0 hardening cycle that brings all governance features from development into the release branch.

Governance & Policy Engine

  • MIC-State / MIC-Evidence conformance — manifest digests, envelope signatures, visibility checks, hidden-hop detection
  • Multi-backend composition — native, Cedar DSL, forbid_rules with deny-wins semantics
  • Declared telemetry (B.2 fail-closed) — missing fields → INSUFFICIENT_EVIDENCE
  • Delegation replay hardening
  • Biscuit auth + bearer token enforcement

Proxy Surface

  • TLS support, kill switch, rate limiting
  • Prometheus metrics/metrics endpoint
  • Health + JWKS endpoints

Phase 2 Daemon

  • Unix socket server with accept loop
  • Peer credential retrieval + handshake contract
  • Launch-wrapper session proof seam
  • eBPF process exec/exit capture MVP
  • Cgroup allowlist filter + daemon custody scaffold

Claude Code & Gemini Integration

  • Claude Code hook plugin (PreToolUse/PostToolUse with chained receipts)
  • Gemini CLI hook with telemetry
  • Posture detector (read-only Claude Code posture)

Testing

  • E2E showcase — 28 tests across 7 layers using real Ollama
  • Phase 1 + 2 adversarial test suites
  • RWT harness gate — real-world testing harness
  • Coverage tests for log_rotation, backed_policy_store

Dependabot bumps

  • Go: cilium/ebpf, k8s.io/*, controller-runtime, cedar-go
  • Docker: python 3.13→3.14, spire-agent
  • CI: setup-go, setup-python, checkout, cache, codeql-action

Test plan

  • Python: 659 passed, 21 skipped
  • Go: all tests pass
  • E2E showcase: 28/28 passing

🤖 Generated with Claude Code

dependabot Bot and others added 30 commits May 4, 2026 04:45
@dependabot
deps(go)(deps): bump sigs.k8s.io/controller-runtime in /go
5812b87 
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.23.3 to 0.24.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](kubernetes-sigs/controller-runtime@v0.23.3...v0.24.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-version: 0.24.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@gnanirahulnutakki
docs: clarify phase 1 evidence bundle claims
c6f8010
@gnanirahulnutakki
docs: reframe Claude Code demo as archival
4c50942
@gnanirahulnutakki
docs: add phase 1 demo packet
46171d4
@gnanirahulnutakki
docs: fix phase 1 presentation drift
df14433
@gnanirahulnutakki
Harden daemon peer authorization boundary
67fb127
@gnanirahulnutakki
Harden daemon peer handshake contract
8acd18a
@gnanirahulnutakki
Add Linux peer credential retrieval seam
f97d60a
@gnanirahulnutakki
Harden daemon accepted-connection bridge
96d5d07
@gnanirahulnutakki
Document Phase 2 daemon claim boundary
dd679a0
@gnanirahulnutakki
Add daemon accept-loop dry-run contract
404f555
@gnanirahulnutakki
docs: refresh Phase 2 accept-loop claim boundary
69de183
@gnanirahulnutakki
docs: clarify live provider credential handling
6ec2bb5 
Document that live external-API tests must be opt-in, locally approved, environment-backed, and non-persistent. Refresh the source-backed Hugo mirrors for the changed guidance.
@gnanirahulnutakki
feat: add launch-wrapper session proof seam
825baab
fix(rwt): harden redaction failure path and update claim ledger
cfc9550
feat: add derived posture index view
3b77079
@gnanirahulnutakki
fix: redact local paths in RWT shareable artifacts
c093964
@gnanirahulnutakki @claude
docs: reconcile examples-smoke claim ledger to repo-wide Python CI
8868d7d 
Documents that `.github/workflows/tests.yml` already covers the offline
examples smoke via `python/tests/test_examples_smoke.py`. Removes the stale
"no examples smoke CI yet" claim from examples/docs. Adds an offline/no-key
examples-smoke regression test for checked-in mission fixtures.

The live-provider framework quickstarts remain opt-in/manual.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@gnanirahulnutakki @claude
fix: harden daemon socket and dependency boundaries
0bb50e4 
- Validate ARDUR_TRACE_ID against safe regex before using as path component
  (prevents path traversal via env-controlled trace-id directory name)
- Add read deadline (10s) and 64 KiB line-size limit to daemon Unix socket
  reader (prevents DoS via unbounded read and goroutine leak on slow client)
- Pin all Python dependencies with compatible upper bounds to prevent
  silent pull of breaking-change or vulnerable releases

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@gnanirahulnutakki @claude
fix: address low-severity review findings across security boundaries
1cba220 
- Validate ARDUR_HOOK_CC basename against known compiler set
- Validate passthrough daemon hook input has required fields
- Add post-write permission verification warning for private key files
- Mark child_receipt_summary with integrity=unverified flag
- Rename pathWithin to lexicalPathWithin with explicit "do not use for
  production path enforcement" doc comment
- Add cross-references between known-limitations.md and security-model.md
  to prevent conformance-profile documentation drift
- Clarify insufficient_evidence/unknown taxonomy link to coverage-map.md
- Add custom gitleaks rule for EC private key PEM detection with
  expanded allowlist for test fixtures, caches, and state dirs

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@gnanirahulnutakki
docs(site): sync source-backed Hugo pages
4d76aad 
Automated Ardur Hugo docs hygiene: regenerate source-backed mirrors from dev and verify sync/local quick gates.
fix: harden delegation replay semantics
792e14d
feat: add Gemini CLI local proof fixture
627b4fe
@gnanirahulnutakki
fix: add Gemini claim metadata page
7ac2249
fix: harden Claude trace-id paths
38ef136
@dependabot
ci(deps): bump actions/setup-go from 5.5.0 to 6.4.0
eb554ba 
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@d35c59a...4a36011)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ci(deps): bump actions/setup-python from 5.6.0 to 6.2.0
ee5a172 
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5.6.0 to 6.2.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...a309ff8)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(docker)(deps): bump python in /examples/autogen-quickstart
b1c1999 
Bumps python from 3.13-slim to 3.14-slim.

---
updated-dependencies:
- dependency-name: python
  dependency-version: 3.14-slim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(docker)(deps): bump python in /examples/langchain-quickstart
924e204 
Bumps python from 3.13-slim to 3.14-slim.

---
updated-dependencies:
- dependency-name: python
  dependency-version: 3.14-slim
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
ci(deps): bump actions/checkout from 4.3.1 to 6.0.2
d4d4f96 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.3.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@34e1148...de0fac2)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 16, 2026
View reviewed changes
Comment thread python/tests/test_ardur_personal_hub.py Fixed
@gnanirahulnutakki
test: avoid permissive open-mode helper
0bda5e5
@gnanirahulnutakki
fix: add Claude Code doctor remediation hints
2b62032
@gnanirahulnutakki
feat: guide empty Claude Code report output
b4c4aff
@gnanirahulnutakki
docs: add host report next steps
8bb0c8b
@gnanirahulnutakki
feat: add posture scan next steps
0384b95
@gnanirahulnutakki
Improve doctor setup next steps
4a4b702
@gnanirahulnutakki
feat(personal): add status next steps
a28470c
@gnanirahulnutakki
Improve ardur run setup recovery guidance
9cd7634
@gnanirahulnutakki
docs: use placeholder in Personal Hub status example
af2862b
@gnanirahulnutakki
docs: normalize bearer placeholder examples
ce68bd3
@gnanirahulnutakki
Improve claude-code protect missing-scope guidance
974b05d
@gnanirahulnutakki
docs: align Claude Code get-started protect snippet
1ab3c76
@gnanirahulnutakki
docs: add host source semantic vector fixtures
89fcfd9
@gnanirahulnutakki
fix: add desktop observe hub recovery hints
0fc059b
@gnanirahulnutakki
Improve personal native host recovery guidance
9f24ab7
@gnanirahulnutakki
docs: document native host recovery hints
b161140
@gnanirahulnutakki
fix: add kill-switch recovery hints
94b46c6
@gnanirahulnutakki
fix: add profile init recovery hints
8eaff67
@gnanirahulnutakki
docs: document profile init recovery guidance
7b6a80d
@gnanirahulnutakki
fix: narrow cleanup exception handling
dcbe219
@gnanirahulnutakki
feat: add uninstall dry-run preview
d20beb8
@gnanirahulnutakki
docs: document desktop-observe recovery hints
c80425b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gnanirahulnutakki @github-advanced-security