feat(core): add kernel-enforced agent runtime with policy, audit, and docs

Introduce a syscall-based kernel (fs/proc/net) with deny-by-default policy evaluation, SQLite-backed audit logging, and TFPv1 local agent-op enforcement returning structured OS-like errors (e.g. EACCES). Migrate tooling access through kernel wrappers, add CI host-access lint and Rust coverage/Codecov integration, and publish full user/dev/ops documentation

Author: nschaetti

.github/workflows/rust.yml

@@ -8,6 +8,7 @@ on:
 
 env:
   CARGO_TERM_COLOR: always
+  COVERAGE_MIN_LINES: "30"
 
 jobs:
   build:
@@ -16,7 +17,34 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+    - name: Tooling host-access lint
+      run: bash scripts/check_tooling_no_direct_host_access.sh
     - name: Build
       run: cargo build --verbose
     - name: Run tests
       run: cargo test --verbose
+
+  coverage:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Install cargo-llvm-cov
+      uses: taiki-e/install-action@cargo-llvm-cov
+    - name: Generate coverage (lcov + threshold)
+      run: cargo llvm-cov --workspace --lcov --output-path lcov.info --fail-under-lines $COVERAGE_MIN_LINES
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v5
+      with:
+        files: lcov.info
+        use_oidc: true
+        fail_ci_if_error: true
+        verbose: true
+    - name: Upload coverage report artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: rust-coverage-lcov
+        path: lcov.info

Cargo.toml

@@ -13,7 +13,7 @@ serde = { version = "1.0", features = ["derive"] }
 serde_yaml = "0.9"
 axum = { version = "0.8", features = ["json", "macros"] }
 tokio = { version = "1.44", features = ["macros", "rt-multi-thread"] }
-rustls = "0.23"
+rustls = { version = "0.23", features = ["ring"] }
 axum-server = { version = "0.7", features = ["tls-rustls"] }
 time = { version = "0.3", features = ["formatting", "parsing"] }
 tokio-rustls = "0.26"
@@ -23,3 +23,8 @@ hyper-util = { version = "0.1", features = ["server", "http1", "http2", "tokio",
 x509-parser = "0.16"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["fmt", "json"] }
+rusqlite = { version = "0.32", features = ["bundled"] }
+
+[dev-dependencies]
+rcgen = "0.13"
+tempfile = "3.13"

README.md

@@ -1,8 +1,80 @@
 # TuringFlow
 
+[![Rust CI](https://github.com/nschaetti/TuringFlow/actions/workflows/rust.yml/badge.svg)](https://github.com/nschaetti/TuringFlow/actions/workflows/rust.yml)
+[![codecov](https://codecov.io/gh/nschaetti/TuringFlow/branch/main/graph/badge.svg)](https://codecov.io/gh/nschaetti/TuringFlow)
+
 <p align="center">
     <picture>
         <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/nschaetti/TuringFlow/refs/heads/main/images/turingflow_banner.png">
-        <img src="https://raw.githubusercontent.com/nschaetti/TuringFlow/refs/heads/main/images/turingflow_banner.png" alt="OpenClaw" width="500">
+        <img src="https://raw.githubusercontent.com/nschaetti/TuringFlow/refs/heads/main/images/turingflow_banner.png" alt="TuringFlow" width="500">
     </picture>
 </p>
+
+TuringFlow is an agent transport + runtime foundation with:
+
+- a secure `TFPv1` daemon (`turingflowd`) over mTLS,
+- registry/routing/ack/dedupe persistence in SQLite,
+- a kernel-style access control model for agent operations,
+- CLI tooling for model interactions.
+
+## Current scope
+
+- `turingflowd` API endpoints: health, register, heartbeat, resolve, send, ack.
+- Config-driven runtime:
+  - `config/turingflowd.yaml`
+  - `config/kingdoms.yaml`
+  - `config/policies.yaml`
+- Kernel syscalls and policy engine:
+  - `fs.list/read/write`
+  - `proc.exec`
+  - `net.http`
+  - deny-by-default + audit log in SQLite.
+
+## Quick start
+
+Build:
+
+```bash
+cargo build
+```
+
+Show CLI help:
+
+```bash
+cargo run --bin turingflow -- --help
+```
+
+Show daemon help:
+
+```bash
+cargo run --bin turingflowd -- --help
+```
+
+Run daemon (requires valid cert files in config):
+
+```bash
+cargo run --bin turingflowd -- --config config/turingflowd.yaml --kingdoms-config config/kingdoms.yaml
+```
+
+## Documentation
+
+- User docs: `docs/user/quickstart.md`
+- Developer docs: `docs/dev/architecture.md`
+- Operations docs: `docs/ops/runbook.md`
+- Full index: `docs/README.md`
+
+## Testing
+
+Run all key test suites:
+
+```bash
+cargo test --lib
+cargo test --test tfpv1_integration
+cargo test --test turingflowd_http_integration
+```
+
+Tooling security lint (no direct host access in tools perimeter):
+
+```bash
+bash scripts/check_tooling_no_direct_host_access.sh
+```

config/kingdoms.yaml

@@ -0,0 +1,10 @@
+version: 1
+
+kingdoms:
+  - id: kingdom-main
+    enabled: true
+    quotas:
+      max_agents_per_node: 256
+      max_lease_ttl_ms: 300000
+      max_message_ttl_ms: 60000
+      max_payload_bytes: 262144

config/policies.yaml

@@ -0,0 +1,20 @@
+version: 1
+
+defaults:
+  decision: deny
+
+principals:
+  - id: "agent:planner@node-a.local"
+    rules:
+      - id: "allow-read-workspace"
+        effect: allow
+        syscall: "fs.read"
+        resource:
+          path_prefix:
+            - "/workspace/project"
+      - id: "allow-list-workspace"
+        effect: allow
+        syscall: "fs.list"
+        resource:
+          path_prefix:
+            - "/workspace/project"

config/turingflowd.yaml

@@ -0,0 +1,32 @@
+version: 1
+
+server:
+  listen: 0.0.0.0:8443
+  node_id: turingflowd
+
+tls:
+  server_cert: certs/turingflowd.crt
+  server_key: certs/turingflowd.key
+  client_ca_cert: certs/ca.crt
+  upstream_ca_cert: certs/ca.crt
+  upstream_client_cert: null
+  upstream_client_key: null
+
+security:
+  replay_window_seconds: 60
+
+routing:
+  retry_delays_ms: [0, 250, 1000, 3000]
+
+storage:
+  backend: sqlite
+  sqlite:
+    path: data/turingflow.db
+
+limits:
+  max_payload_bytes: 262144
+  max_message_ttl_ms: 60000
+
+logging:
+  format: json
+  level: info

docs/README.md

@@ -0,0 +1,32 @@
+# Documentation Index
+
+This directory is split by audience.
+
+- User docs: how to run and use TuringFlow.
+- Developer docs: architecture, kernel, API, data model, testing.
+- Ops docs: runbook, observability, migrations.
+
+## User
+
+- `docs/user/quickstart.md`
+- `docs/user/cli.md`
+- `docs/user/daemon.md`
+- `docs/user/configuration.md`
+- `docs/user/security-model.md`
+- `docs/user/troubleshooting.md`
+
+## Developer
+
+- `docs/dev/architecture.md`
+- `docs/dev/kernel.md`
+- `docs/dev/tfpv1-api.md`
+- `docs/dev/storage.md`
+- `docs/dev/testing.md`
+- `docs/dev/contributing.md`
+- `docs/dev/no-direct-host-access.md`
+
+## Operations
+
+- `docs/ops/runbook.md`
+- `docs/ops/observability.md`
+- `docs/ops/migrations.md`

docs/dev/architecture.md

@@ -0,0 +1,23 @@
+# Architecture
+
+## High-level modules
+
+- `src/bin/turingflowd.rs`: daemon entrypoint, API routes, mTLS handling.
+- `src/tfpv1/*`: protocol types, registry, router, dedupe, config loading.
+- `src/tfpv1/storage/*`: SQLite initialization and persistence modules.
+- `src/kernel/*`: policy engine, syscall kernel, providers, audit sink.
+- `src/commands/*`: CLI command handlers and tooling runtime wrappers.
+
+## Request flow (`send`)
+
+1. Validate request and kingdom quotas.
+2. Replay and dedupe checks.
+3. Verify source/destination agents.
+4. If local agent-op payload, execute via kernel syscalls.
+5. Else route message to destination deliver URL.
+
+## Data flow
+
+- Config YAML -> validated structs.
+- State persistence -> SQLite tables/migrations.
+- Policy decisions -> audit records in `syscall_audit_log`.

docs/dev/contributing.md

@@ -0,0 +1,26 @@
+# Contributing
+
+## Development workflow
+
+1. Implement change.
+2. Add/update tests.
+3. Run checks locally.
+4. Open PR with rationale and risk notes.
+
+## Local checks
+
+```bash
+cargo fmt
+cargo check
+cargo test --lib
+cargo test --test tfpv1_integration
+cargo test --test turingflowd_http_integration
+bash scripts/check_tooling_no_direct_host_access.sh
+```
+
+## Coding expectations
+
+- preserve mTLS and identity guarantees
+- preserve deny-by-default semantics
+- no direct host access in tools runtime perimeter
+- keep error contracts stable (`version`, `error.*`)

docs/dev/kernel.md

@@ -0,0 +1,52 @@
+# Kernel and Syscalls
+
+The kernel layer provides controlled host access for agent operations.
+
+## Core components
+
+- `ExecutionContext`: trace/kingdom/agent/tool identity context.
+- `PolicyEngine`: evaluates `allow/deny` for syscall + resource.
+- `Kernel`: façade calling policy then provider.
+- Providers:
+  - `HostFsProvider`
+  - `HostProcessProvider`
+  - `HostNetworkProvider`
+
+## Policy semantics
+
+- deny-by-default
+- principal priority: `agent_tool` > `agent`
+- per-principal rule ordering by priority
+- resource matching supports:
+  - `path_prefix`
+  - `command_allowlist`
+  - `host_allowlist`
+  - `methods`
+
+## Filesystem safety
+
+- canonicalization before access
+- parent canonicalization for writes
+- reject traversal components (`..`, `.`)
+- reject symlink escapes outside root
+
+## Process safety
+
+- allowlist of binaries
+- optional allowlist of args per binary
+- no shell binaries allowed (`sh`, `bash`, ...)
+- no path binaries in command (`/bin/...` rejected)
+
+## Network safety
+
+- allowlist hosts
+- allowlist methods
+- enforce timeout max
+
+## Error mapping
+
+Kernel uses OS-like codes:
+
+- `EACCES`, `ENOENT`, `EINVAL`, `ETIMEOUT`, `ERATELIMIT`, `EINTERNAL`
+
+In daemon API, these are returned in structured error payloads.