Skip to content

docs(architecture): sandbox tier — workload-trust runc+gVisor floor#163

Merged
Yambr merged 8 commits into
next/v1from
feat/sandbox-tier-workload-driven
May 27, 2026
Merged

docs(architecture): sandbox tier — workload-trust runc+gVisor floor#163
Yambr merged 8 commits into
next/v1from
feat/sandbox-tier-workload-driven

Conversation

@Yambr

@Yambr Yambr commented May 27, 2026

Copy link
Copy Markdown
Collaborator

Summary

§02 NFRs and Layer 3 currently claim "microVM-default" while v1 ships only runc + gVisor. This PR replaces the implicit data-class-gated tier model with an explicit operator-trust-profile ladder, and adds two new NFR rows (NFR-SEC-38, NFR-SEC-39) plus a verification refinement on NFR-SEC-35 that make the new model enforceable at admission and observable on downgrade:

  • Solo operator (trusted_operator) → runc — default; preserves one-click solo install invariant.
  • Internal workforce (internal_workforce) → gVisor — v1 hardened default; runc rejected at admission.
  • Untrusted workload (untrusted) → microVM — post-v1 (#161); v1 GA admission rejects with a pointer to the backlog issue (honest non-deployability).

Tech-name leaks (Kata, kata-fc, kata-ch, bare-VM Firecracker, Kata+RKE2) are removed from the catalogue; runtime packaging picks deferred to a future component-spec ADR.

Why now

  • §02 NFR-PERF-03, NFR-SEC-02, NFR-SEC-29, NFR-SEC-35, NFR-FLEX-02/06/09 claim microVM properties that v1 does not ship — verifier-rerun flags these on every release until reframed.
  • Layer 3 §4 multi-tenant invariant uses "non-NPI workloads" framing — a data-class argument that does not hold against adversarial AI-issued code (container-escape attack surface is not bounded by data classification).
  • Layer 3 §6 sentence "Minimal-capability default scope: PUBLIC + INTERNAL only" is the original data-class-gating sentence the PR reframes (now: workload-trust gates the tier; data class still gates BYOK + customer-managed audit sink).
  • Without NFR-SEC-38 (workload-trust declaration), a customer can configure runc for an internal-workforce deployment by mistake and the platform happily runs adversarial-prompt-injection workloads on a shared kernel.

Changes

manifesto/02-nfrs.md

  • New sub-section "Sandbox tier — workload-driven selection" with 3-row tier table + honest-deployability paragraph (untrusted = not deployable v1 GA).
  • Row edits to NFR-PERF-03 (cold-start target generalised), NFR-PERF-09 (gated on microVM ship), NFR-SEC-02 (gVisor v1 hardened default, microVM post-v1), NFR-SEC-29 (tier-matched broker binding), NFR-SEC-35 (KVM precondition limited to microVM tier + N3 Helm pre-install probe + KVM-absent CI test), NFR-FLEX-02 (runtime ladder reframed), NFR-FLEX-06 (microVM qualifier), NFR-FLEX-09 (dropped Kata+RKE2 / bare-VM Firecracker tech names).
  • New AP-13 (picking sandbox tier by data classification — forbidden by NFR-SEC-02 + NFR-SEC-38 + the new sub-section).
  • Pruned remaining "minimal-capability shelf" / "full-capability shelf" terminology from §02 prose.
  • Open Question 5 parenthetical clarifies microVM is post-v1.
  • NFR-SEC-38 (new): Workload-trust profile declaration. Helm pre-install hook + control-plane startup check + CI gate on Helm chart values schema + 9-cell admission test matrix. Commitment; implementation lands when control-plane code exists.
  • NFR-SEC-39 (new): Tier-downgrade alarm. Audit event `config.trust_profile.downgraded`; SIEM-bridge HIGH; SOAR webhook ≤30 s of reconfig commit. Commitment; implementation lands when audit pipeline + SOAR integration exists.

02-trust-boundaries.md

  • §2 Compute plane row reframed in tier terms (runc / gVisor / microVM).
  • §4 multi-tenant invariant rewritten in trust-profile terms — bare runc forbidden for multi-tenant agent execution.
  • §6 data-class-gating sentence reframed (trust-profile picks tier; data class picks BYOK / audit sink).
  • §3, §8, §9, §10, §12 shelf → tier renames (10 occurrences).

.vale/styles/Architecture/ap13-data-class-substrate.yml

  • New vale rule blocks the regex `(NPI|RESTRICTED|CONFIDENTIAL)\s+(→|requires|->)\s+(microVM|hardware-virt)` at level `error` to enforce AP-13 at prose level.

Backlog

  • #161 — `arch: microVM sandbox tier (post-v1, hardware-virt; example: Firecracker)` tracks the post-v1 microVM tier.
  • #162 — `arch: per-session trust profile (v1.1+)` tracks the v1.1+ upgrade from deployment-wide to per-session declaration.

Note on a dropped citation

A prior draft cited "USENIX 2023 UDC paper — 36% gVisor CVE rate." The paper title could not be located in USENIX Security '23 proceedings; the 36% figure is not in any verified primary source. The figure is therefore not in §02 prose.

Implementation deferral (load-bearing)

NFR-SEC-38 and NFR-SEC-39 are commitments, not implementations. The admission test fixture (9-cell matrix), the Helm pre-install hook, the audit event emission, and the SOAR webhook integration land when control-plane code exists. This PR is doc-only; the catalogue rows are the contractual baseline future control-plane work must satisfy.

CI gate notes

  • Doc + YAML-only diff. No source / dep changes.
  • Both architecture files re-stamped `last-reviewed: 2026-05-27`.
  • Line counts: `02-nfrs.md` 283 (was 264); `02-trust-boundaries.md` 192 (was 192; substitutions netted).
  • lychee resolves #161 and #162 references via real URLs.

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

Summary by CodeRabbit

  • Documentation
    • Clarified sandbox tier selection as workload-trust-driven; updated runtime mappings, per-tenant isolation rules (forbids bare runc for multi-tenant execution), data-classification defaults and token/identity/audit guidance; expanded and tightened Security, Performance, Flexibility NFRs; updated manifesto last-reviewed date and open questions.
  • Style
    • Added an anti-pattern enforcement (AP-13) forbidding tier selection based on data classification.

Review Change Stack

Yambr added 4 commits May 27, 2026 11:08
…-section (E1)

Adds the workload-trust-profile axis as a first-class §02 concept ahead of
the catalogue rows that reference it. Three named profiles:

- trusted_operator (solo / dev) → runc
- internal_workforce (vetted employees) → gVisor (v1 hardened default)
- untrusted (unknown actors) → microVM (post-v1, #161; not deployable v1 GA)

Cites Anthropic Self-Hosted Sandboxes (May 2026) as the published
multi-provider precedent. Forward-links NFR-SEC-38/39 (enforceability,
landing in the next commit) and AP-13 (anti-pattern, landing with the
row edits).
…tech-name leaks

Row edits (E2-E11) + new rows (N1/N2) + new anti-pattern (AP-13):

- E2 NFR-PERF-03: cold-start target generalised to hardened tier; per-tier
  baselines in PERF-07/08/09.
- E3 NFR-PERF-09: explicitly gated on microVM tier shipping (#161); not
  enforced in v1.
- E4 NFR-SEC-02: dropped "microVM-default" framing; gVisor v1 hardened
  default; microVM hardware-virt post-v1; tier-appropriate escape
  resistance with seccomp BPF + Landlock + cap-drop in every tier.
- E5 NFR-SEC-29: broker binding substrate matches tier (loopback/UDS on
  runc and gVisor; vsock CID + JWT scope on microVM post-v1).
- E6 NFR-SEC-35: KVM precondition limited to microVM tier; Helm
  pre-install probe ≤2 s with clear error on KVM-absent host;
  CI test on KVM-absent runner.
- E7 NFR-FLEX-02: runtime ladder reframed (runc + gVisor v1; microVM
  post-v1, Firecracker named as example, Kata as one packaging option).
- E8 NFR-FLEX-06: same egress invariant qualified by microVM tier ship.
- E9 NFR-FLEX-09: dropped Kata+RKE2 / bare-VM Firecracker tech names.
- E10 AP-13 (new): picking sandbox tier by data classification is
  forbidden; trust profile picks tier, data class governs custody /
  retention / residency. Backed by vale lint rule landing in next commit.
- E11: pruned remaining "minimal-capability shelf" / "full-capability
  shelf" occurrences inside §02 (NFR-SEC-03 only).
- E12: Open Question 5 parenthetical clarifies microVM is post-v1.

New rows:

- NFR-SEC-38: workload-trust profile declaration is a deployment-time
  invariant; mismatch is admission-time hard error; untrusted profile is
  NOT deployable in v1 GA (admission rejects with pointer to #161).
- NFR-SEC-39: tier-downgrade alarm via audit event
  `config.trust_profile.downgraded`; SIEM-bridge HIGH; SOAR webhook ≤30s.

Both new rows ship as commitments; implementation lands when control-plane
code exists.
… → microVM" phrasing

Enforces §02 anti-pattern AP-13 at the prose level: data classification
does not pick the sandbox substrate. Trust profile picks the tier; data
class governs custody / retention / residency.

Standalone file rather than appended to banned-phrases.yml because vale
existence rules share message/level per-file; AP-13 needs its own message
pointing the author to the §02 anchor.
…rust-profile terms (L1-L14)

Aligns Layer 3 with the §02 workload-trust-driven tier model.

- L1: §2 Compute plane row reframed in tier terms (runc / gVisor / microVM)
  with forward link to the new §02 "Sandbox tier" sub-section.
- L3: §4 multi-tenant invariant rewritten in trust-profile terms — bare
  runc multi-tenant forbidden; gVisor as v1 default; microVM post-v1.
- L4: T0 tier-table label "single-tenant minimal-capability" →
  "solo / dev / single-operator".
- L5, L11, L13, L14: shelf → tier renames in §3, §6, §8, §9, §10, §12 (key
  custody, audit sink, signer narrative, Open question 4).
- L6, L7, L8: §3 actor-table "Optional?" cells use tier names instead of
  shelf labels.
- L9: §6 data-class-gating sentence reframed — trust profile picks the
  tier; data class still picks BYOK + customer-managed audit sink. AP-13
  is the load-bearing forbidder of data-class-driven substrate selection.
- L10: §8 table column headers renamed (Solo / dev tier vs Hardened tier
  and above).
- L12: §8.1 signer paragraph renamed to tier vocabulary.

last-reviewed bumped to 2026-05-27.
@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 41ce1d62-596e-4160-b8c1-3669e81dfaaa

📥 Commits

Reviewing files that changed from the base of the PR and between 0b9739b and ba96715.

📒 Files selected for processing (2)
  • docs/architecture/02-trust-boundaries.md
  • docs/architecture/manifesto/02-nfrs.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • docs/architecture/02-trust-boundaries.md
  • docs/architecture/manifesto/02-nfrs.md

Walkthrough

This PR establishes a workload-trust-driven sandbox tier selection model replacing prior data-class-driven approaches. It introduces a new Vale enforcement rule for AP-13, defines the workload-trust-profile ladder with tier-to-runtime mapping (runc/gVisor/microVM), and updates trust-boundary documentation and NFRs to reflect tier-appropriate constraints and multi-tenant invariants.

Changes

Workload-Trust Sandbox Tier Model

Layer / File(s) Summary
AP-13 Enforcement Rule
.vale/styles/Architecture/ap13-data-class-substrate.yml
New Vale lint rule configured at error level; flags disallowed classification-to-substrate phrasing using case-insensitive regex to detect RESTRICTED/CONFIDENTIAL paired with microVM/hardware-virt references or relationship operators.
Workload-Trust Tier Model Definition
docs/architecture/manifesto/02-nfrs.md
New "Sandbox tier — workload-driven selection" section with workload_trust_profile ladder (trusted_operator / internal_workforce / untrusted), runtime recommendations per tier, v1 GA deployability constraints for untrusted, and enforcement links to NFR-SEC-38 and NFR-SEC-39. AP-13 anti-pattern added.
Trust Boundaries Zone and Table Updates
docs/architecture/02-trust-boundaries.md
Compute plane zone explicitly maps runc (solo/dev), gVisor (v1 hardened), and microVM (post-v1) to operator-trust profile. External actors table, per-tenant isolation menu (T0–T3), multi-tenant agent-execution invariant, data-class guidance, token property column names, identity binding, encryption matrix, and audit sink placement rewritten to align with solo/dev vs hardened tier split.
NFR Tier-Specific Constraints and Enforcement
docs/architecture/manifesto/02-nfrs.md
Performance NFRs (cold-start) updated for hardened-tier vs microVM distinctions. NFR-SEC-02 expanded to tier-appropriate sandbox escape-resistance and enumerated hardening controls. NFR-SEC-29..NFR-SEC-39 replaced/expanded with credential broker topology, TLS behavior, filesystem isolation semantics, memory secrecy boundary, encryption defaults, continuous eval/red-team cadence, host kernel/microVM hardening, and new enforcement NFRs (NFR-SEC-38 admission-time workload profile validation; NFR-SEC-39 tier-downgrade alarm/audit/SOAR). Flexibility NFRs updated to describe runtime ladder and packaging expectations.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main change: introducing a workload-trust-driven sandbox tier model with runc and gVisor as the v1 floor.
Linked Issues check ✅ Passed The PR comprehensively addresses #161 objectives by documenting the microVM tier as post-v1, establishing the workload-trust-profile ladder in NFRs, and defining the runc+gVisor v1 floor with clear deferral of microVM implementation.
Out of Scope Changes check ✅ Passed All changes are in-scope: the Vale rule (AP-13) enforces anti-pattern documentation, NFRs are reframed for the tier model, and trust-boundaries prose is updated to match the workload-trust model.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/sandbox-tier-workload-driven

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.vale/styles/Architecture/ap13-data-class-substrate.yml:
- Around line 1-2: Replace the incorrect SPDX identifier in the header: change
the line that currently reads "# SPDX-License-Identifier: FSL-1.1-Apache-2.0" to
"# SPDX-License-Identifier: BUSL-1.1" while keeping the copyright line "#
Copyright (c) 2025 Open Computer Use Contributors" intact so the file header
conforms to the repository requirement.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 1fa54c61-ee58-416c-9a0b-3e3e11cb5590

📥 Commits

Reviewing files that changed from the base of the PR and between 3e6ae98 and deb387c.

📒 Files selected for processing (3)
  • .vale/styles/Architecture/ap13-data-class-substrate.yml
  • docs/architecture/02-trust-boundaries.md
  • docs/architecture/manifesto/02-nfrs.md

Comment on lines +1 to +2
# SPDX-License-Identifier: FSL-1.1-Apache-2.0
# Copyright (c) 2025 Open Computer Use Contributors

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use the required SPDX identifier for new source files.

This new file uses FSL-1.1-Apache-2.0, but the repository rule for new source files requires BUSL-1.1.

Proposed fix
-# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1
 # Copyright (c) 2025 Open Computer Use Contributors

As per coding guidelines "**/*: All other new source files MUST include SPDX license header: # SPDX-License-Identifier: BUSL-1.1 with # Copyright (c) 2025 Open Computer Use Contributors".

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# SPDX-License-Identifier: FSL-1.1-Apache-2.0
# Copyright (c) 2025 Open Computer Use Contributors
# SPDX-License-Identifier: BUSL-1.1
# Copyright (c) 2025 Open Computer Use Contributors
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.vale/styles/Architecture/ap13-data-class-substrate.yml around lines 1 - 2,
Replace the incorrect SPDX identifier in the header: change the line that
currently reads "# SPDX-License-Identifier: FSL-1.1-Apache-2.0" to "#
SPDX-License-Identifier: BUSL-1.1" while keeping the copyright line "# Copyright
(c) 2025 Open Computer Use Contributors" intact so the file header conforms to
the repository requirement.

Yambr added 4 commits May 27, 2026 11:19
…-section

The "Anthropic Self-Hosted Sandboxes — Cloudflare microVM, Daytona container,
Modal gVisor, Vercel container" line was AI-slop preamble citing a competitor
product launch as if it justified our design. §02 is a normative NFR catalogue,
not a press-release. Evidence stays in the RESEARCH artifact.
…3 invariant

Removes self-praise, forward-references, and duplication introduced by the
prior commits in this PR:

- §02 sub-section gVisor row drops "Production precedent at AI scale:
  OpenAI, Modal, Anthropic, Google App Engine" — competitor listing in a
  normative NFR catalogue is marketing, not requirement.
- §02 sub-section drops "Honest v1 deployability" header + the
  re-articulation paragraph (the table already says what the trust profile
  is and what tier it maps to).
- §02 sub-section drops forward references to NFR-SEC-38/39 + AP-13 —
  reader sees those below; preamble pointing forward is slop.
- NFR-SEC-02 drops "Runtime brand pick within a tier is a component-spec
  decision" — already covered by NFR-FLEX-02.
- NFR-SEC-38 / NFR-SEC-39 row cells compressed; same load-bearing content.
- AP-13 drops "Enforced at the prose level by a vale rule on ..." —
  anti-pattern is normative, the implementation note belongs in the vale
  rule itself.
- Layer 3 §2 Compute plane row drops "(see ...)" preamble before the §02
  link.
- Layer 3 §4 multi-tenant invariant drops v1/post-v1 narrative — that
  already lives in §02 + §2 zone table.
…unt + INFO F-05 back-link

Code-review findings from REVIEW-PR-163-code.md:

- F-01 (CRIT): Layer 3 §6 line 110 was internally contradictory — it
  asserted "CONFIDENTIAL+ workloads require the hardened tier (gVisor)..."
  (the data-class→tier mapping AP-13 forbids) and immediately added "Tier
  selection is workload-trust-driven, not data-class-driven (forbidden by
  AP-13)". Rewritten so data class drives custody / audit sink / residency
  obligations and trust profile drives the tier.
- F-02 (WARN): NFR-SEC-38 admission-matrix count "6 valid v1 + 3 rejected
  v1" was ambiguous. Now spells out: 6 cells valid by pairing rules
  (3 require post-v1 microVM); 3 cells rejected by pairing; v1 GA
  deployable = 3; v1 GA rejected = 6 (3 pairing + 3 microVM-not-shipped).
- F-05 (INFO): NFR-SEC-38 had no back-link to AP-13; added one clause.
…rete example

Plan-check findings from PLAN-CHECK-PR-163.md:

- PC-1 (WARN): Layer 3 §4 multi-tenant invariant lost the direct #161
  link in the slop sweep; reader now needs §02→sub-section→#161 (2 hops).
  Restored one inline [#161].
- PC-2 (WARN): AP-13 example was dropped in the slop sweep; without it the
  anti-pattern is abstract. Added the minimal concrete form ("NPI →
  microVM" / "PUBLIC → runc") that names the forbidden phrasing without
  re-introducing the long description.
@Yambr Yambr changed the title arch(next/v1): sandbox tier — workload-trust runc+gVisor floor docs(architecture): sandbox tier — workload-trust runc+gVisor floor May 27, 2026
@Yambr Yambr merged commit a8300f2 into next/v1 May 27, 2026
22 of 23 checks passed
@Yambr Yambr deleted the feat/sandbox-tier-workload-driven branch May 27, 2026 08:42
Yambr added a commit that referenced this pull request May 30, 2026
… source refs

A snapshot image is a verbatim copy of guest RAM + disk, so a secret live at
snapshot time is frozen into a file that can be copied and booted where the
resume hook never runs. Host-side revocation makes such a token useless but
not absent from the image — two different controls the prior text conflated.

Flip SEC-44's primacy: the load-bearing, testable control is that no
session-scoped secret is present at snapshot-create time (image taken at
minimal-init, session material hot-swapped at restore; verified by offline
extraction finding none). Resume-side re-auth + VMGenID reseed + N-fork
uniqueness become defence-in-depth. Public anchors: Firecracker snapshot
docs, VMGenID spec, arXiv 2102.12892, NIST SP 800-190 §4.5.

Also fix the SEC-38/SEC-39 Source cells: "this PR" was a placeholder that
broke once #163 merged; repoint to #163 (their origin).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Yambr added a commit that referenced this pull request May 30, 2026
* docs(architecture): NFR-SEC-44..60 — close Layer 7 open holes

Adds 17 security NFRs adjudicated from the Layer 7 STRIDE residuals
(the OPEN holes and the PARTIAL residual tails). Each row is the
measurable control for a threat the model left uncovered.

Cheap fixes (close a tracked hole with a bounded control):
- SEC-44 snapshot-token-exclusion (#184), SEC-45 operator-action-audit (#186),
  SEC-46 resource-exhaustion-containment (#188), SEC-51 mcp-param-schema,
  SEC-52 cp-split-reachability, SEC-53 gateway-conn-ceiling.

New cross-component controls:
- SEC-47 guest-self-audit (#181), SEC-48 trusted-time (#185),
  SEC-49 per-action-authz (#187), SEC-50 mtls-upstreams (#176),
  SEC-54 mount-erase-order, SEC-55 killswitch-under-dos,
  SEC-56 audit-ingest-fairness.

Accept-with-tier (a measurable tier target plus a named, formally
accepted residual):
- SEC-57 egress-exfil-tripwire (#182), SEC-58 side-channel (#183),
  SEC-59 host-custody-memory (host-foothold only), SEC-60 minimal-storage-floor.

Threat-model anchor repointing (the live rows citing "none") lands with
the model restructure, not here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(architecture): NFR review fixes — SEC-44 timing, SEC-45/39 cross-ref, measurability

Applies the duplication / contradiction / slop review findings:
- SEC-44: the ≤1 min revoke bound applied to all token classes was wrong for
  the Session JWT (host-side JWT revoke is ≤5 min per SEC-04). Restate: the
  pre-snapshot JWT is invalid at resume by construction; only the custody/
  storage lease carries the ≤1 min (SEC-29) replay bound.
- SEC-45 ⊃ SEC-39: add a bidirectional cross-reference so the operator-action
  audit set and the tier-downgrade alarm do not read as duplicate controls.
- SEC-46: bind the "≤10% degradation" target to a named SLI (p99-latency
  regression vs the NFR-PERF baseline).
- SEC-58: drop the "documented in datasheet" clause from the Target (a
  deliverable, not a measurable bar).
- SEC-57: drop "zero reliance on payload inspection" from the Target (a design
  constraint already stated in the Scenario).
- SEC-56 / SEC-49: add one disambiguating clause each (vs SEC-46 data-plane
  limits; vs SEC-51 structural validation).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* docs(architecture): SEC-44 — clean-before-stop primary; fix SEC-38/39 source refs

A snapshot image is a verbatim copy of guest RAM + disk, so a secret live at
snapshot time is frozen into a file that can be copied and booted where the
resume hook never runs. Host-side revocation makes such a token useless but
not absent from the image — two different controls the prior text conflated.

Flip SEC-44's primacy: the load-bearing, testable control is that no
session-scoped secret is present at snapshot-create time (image taken at
minimal-init, session material hot-swapped at restore; verified by offline
extraction finding none). Resume-side re-auth + VMGenID reseed + N-fork
uniqueness become defence-in-depth. Public anchors: Firecracker snapshot
docs, VMGenID spec, arXiv 2102.12892, NIST SP 800-190 §4.5.

Also fix the SEC-38/SEC-39 Source cells: "this PR" was a placeholder that
broke once #163 merged; repoint to #163 (their origin).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant