Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ evaluator and gate, not a parallel policy path. Near-term work under that bet:
- Session-aware decision caching: cache keyed on the grant overlay and command rather than bypassed whenever a session prompt is attached, so repeated commands within a session skip the evaluator round trip.
- CLI surface completeness: `verb show`/`verb delete`, `session extend`, session labels with filtered listing and bulk revoke, a requester-side hold withdrawal, a provisional detail view, and shell completions. Client-facing reads stay scoped to requester-owned state; clients are treated as well-intentioned but possibly compromised.
- Status depth: verb-catalog short content-hash and last-change time (cross-daemon drift comparison), queue depths, learned-store counts, and a client/server version-mismatch warning in `guard status`.
- Session behavioral containment: per-session telemetry counters (commands, evaluator calls, denials, holds, cache hits) surfaced in `session show` and the notify hook, and a circuit breaker on behavioral signals (deny-ratio windows, hold-flood attempts) that trips a session into a suspended deny-all posture pending operator review, keyed per session token with the per-principal pending cap as the outer backstop. Containment targets misbehavior, not evaluator spend; per-call evaluation stays unmetered. Behavioral aggregates are the containment layer a per-call gate can honestly offer against multi-step trajectory attacks (Ctrl-Z, arXiv:2504.10374; see `ctf/BASHCONTROL.md`).
- Session-coupled API proxy policy: per-session policy overlays where the `evaluate` action's intent prose derives from the session grant's prose, allow/deny rules narrow to the grant, learned shapes scope per grant profile, and proxied requests carry session attribution into session history — so granting a tool like helm or ansible a brokered credential boxes its API traffic inside the caller's session grant.
- Audit durability: an audit sink independent of the log-level filter, session tokens on per-command audit lines, per-use secret audit events (name, session, command — never values), persisted child exit codes, and configurable interaction-history retention.
- Documentation layout: a short README (overview, quickstart, pointers) with deep reference material (environment variables, session grants, API proxy, consequence gating, verb catalog, security model) split into per-topic docs pages.
- Filesystem gate for in-process mutations (Linux): a seccomp user-notification supervisor that gates file-mutating syscalls per path, and an overlay diff/revert envelope that runs a tool against a copy-on-write upper layer and commits or discards the changeset as a unit.
- Secret-value binding hardening: extend the held-command value binding to the verb-rendered argv, so an operator-reviewed verb invocation also fails closed if a referenced secret changes between hold and approval.
- MCP transport breadth: server-initiated SSE streaming on the HTTP MCP endpoint, added only when an agent runtime needs streamed tool output rather than the current request/response shape.
Expand Down
Loading