Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,16 @@ evaluator and gate, not a parallel policy path. Near-term work under that bet:

- Protocol-agnostic REST proxy engine: the `ProtocolConfig` trait, the Kubernetes reference implementation, and mock-tested GitHub/Vercel example configs with adversarial coverage exist (`src/proxy/protocol.rs`, `k8s_protocol.rs`, `github_protocol.rs`, `vercel_protocol.rs`, `tests/protocol_examples.rs`); the gating spine (`decide_gate`, `provisional.rs`, the `GateSink` trait) carried through unchanged. Reverts are protocol-generic HTTP plans (restore prior state, delete created, recreate faithfully snapshottable deletes) executed by the sweeper through the registered proxy's upstream credential, failing loudly when no proxy for the protocol is running; pure side-effect endpoints have no constructible revert and fail closed to hold or deny. Credentials resolve per protocol (kubeconfig for Kubernetes, bearer token from env or file otherwise) and `--api-proxy`/`--api-protocol` wire any protocol from the CLI. The `evaluate` policy action routes a request to a dedicated LLM evaluator judging against the policy's prose intent with revert constructibility as an input, floored by `decide_gate`; rarity escalation reroutes rare shapes to the evaluator when one is attached.
- Self-tuning over proxied traffic: extend the existing evidence-only learned-rule promotion and deny-shape learning to API-request shapes, keeping the narrow exact-value synthesis rather than a model-authored regex. The evaluator-integrated proxy gate now produces the LLM verdicts these stores learn from.
- Revert execution parity: a provisional revert runs with the forward command's env and secret injections instead of an empty injection set, so a revert that needs the forward command's credentials cannot silently fail at revert time.
- Secret-to-file injection: the daemon materializes a stored secret as a daemon-owned 0600 file living for the child's lifetime, exposing the path via an env var. Covers password-file consumers (`ANSIBLE_VAULT_PASSWORD_FILE` unlocking a vaulted `ansible_become_password`, `SUDO_ASKPASS` with `sudo -A`) without stdin or PTY plumbing; the value stays daemon-held, and the mode refuses `--exec-as-caller` so a caller can never read the materialized file directly.
- Unattended holds: an unbounded `--wait-approval` and a configurable hold TTL, plus an optional confirm-check command on a provisional — at the confirm deadline the daemon runs it and its exit status decides confirm versus revert, closing the loop on unattended recoverable changes.
- Operator notification exec-hook: an operator-configured command fired fire-and-forget with event context on hold and provisional lifecycle events. Delivery and its authentication live in the operator's script; guard carries no webhook client. Off by default: a healthy deployment's grants absorb the work and holds stay the exception path.
- Per-scope evaluation modes: mode overrides per grant profile, session, or listener instead of a single daemon-global mode, and endpoint-flag parity so `guard run` accepts the same socket/TCP targeting as every other subcommand, with named endpoint profiles for multi-daemon (per-tier) targeting.
- Concurrent API proxies: one daemon serves multiple protocol proxies on distinct listeners, so Kubernetes and GitHub gating no longer require separate daemons.
- Structured CLI output: `--json` on read commands, an optional structured result envelope for `run` (child stdout/stderr/exit plus decision context), and guard-origin exit codes distinguishable from a child process exiting with the same value.
- Session-aware decision caching: cache keyed on the grant overlay and command rather than bypassed whenever a session prompt is attached, so repeated commands within a session skip the evaluator round trip.
- CLI surface completeness: `verb show`/`verb delete`, `session extend`, session labels with filtered listing and bulk revoke, a requester-side hold withdrawal, a provisional detail view, and shell completions. Client-facing reads stay scoped to requester-owned state; clients are treated as well-intentioned but possibly compromised.
- Status depth: verb-catalog short content-hash and last-change time (cross-daemon drift comparison), queue depths, learned-store counts, and a client/server version-mismatch warning in `guard status`.
- Filesystem gate for in-process mutations (Linux): a seccomp user-notification supervisor that gates file-mutating syscalls per path, and an overlay diff/revert envelope that runs a tool against a copy-on-write upper layer and commits or discards the changeset as a unit.
- Secret-value binding hardening: extend the held-command value binding to the verb-rendered argv, so an operator-reviewed verb invocation also fails closed if a referenced secret changes between hold and approval.
- MCP transport breadth: server-initiated SSE streaming on the HTTP MCP endpoint, added only when an agent runtime needs streamed tool output rather than the current request/response shape.
Expand Down
Loading