docs(architecture): sandbox tier — workload-trust runc+gVisor floor#163
Conversation
…-section (E1) Adds the workload-trust-profile axis as a first-class §02 concept ahead of the catalogue rows that reference it. Three named profiles: - trusted_operator (solo / dev) → runc - internal_workforce (vetted employees) → gVisor (v1 hardened default) - untrusted (unknown actors) → microVM (post-v1, #161; not deployable v1 GA) Cites Anthropic Self-Hosted Sandboxes (May 2026) as the published multi-provider precedent. Forward-links NFR-SEC-38/39 (enforceability, landing in the next commit) and AP-13 (anti-pattern, landing with the row edits).
…tech-name leaks Row edits (E2-E11) + new rows (N1/N2) + new anti-pattern (AP-13): - E2 NFR-PERF-03: cold-start target generalised to hardened tier; per-tier baselines in PERF-07/08/09. - E3 NFR-PERF-09: explicitly gated on microVM tier shipping (#161); not enforced in v1. - E4 NFR-SEC-02: dropped "microVM-default" framing; gVisor v1 hardened default; microVM hardware-virt post-v1; tier-appropriate escape resistance with seccomp BPF + Landlock + cap-drop in every tier. - E5 NFR-SEC-29: broker binding substrate matches tier (loopback/UDS on runc and gVisor; vsock CID + JWT scope on microVM post-v1). - E6 NFR-SEC-35: KVM precondition limited to microVM tier; Helm pre-install probe ≤2 s with clear error on KVM-absent host; CI test on KVM-absent runner. - E7 NFR-FLEX-02: runtime ladder reframed (runc + gVisor v1; microVM post-v1, Firecracker named as example, Kata as one packaging option). - E8 NFR-FLEX-06: same egress invariant qualified by microVM tier ship. - E9 NFR-FLEX-09: dropped Kata+RKE2 / bare-VM Firecracker tech names. - E10 AP-13 (new): picking sandbox tier by data classification is forbidden; trust profile picks tier, data class governs custody / retention / residency. Backed by vale lint rule landing in next commit. - E11: pruned remaining "minimal-capability shelf" / "full-capability shelf" occurrences inside §02 (NFR-SEC-03 only). - E12: Open Question 5 parenthetical clarifies microVM is post-v1. New rows: - NFR-SEC-38: workload-trust profile declaration is a deployment-time invariant; mismatch is admission-time hard error; untrusted profile is NOT deployable in v1 GA (admission rejects with pointer to #161). - NFR-SEC-39: tier-downgrade alarm via audit event `config.trust_profile.downgraded`; SIEM-bridge HIGH; SOAR webhook ≤30s. Both new rows ship as commitments; implementation lands when control-plane code exists.
… → microVM" phrasing Enforces §02 anti-pattern AP-13 at the prose level: data classification does not pick the sandbox substrate. Trust profile picks the tier; data class governs custody / retention / residency. Standalone file rather than appended to banned-phrases.yml because vale existence rules share message/level per-file; AP-13 needs its own message pointing the author to the §02 anchor.
…rust-profile terms (L1-L14) Aligns Layer 3 with the §02 workload-trust-driven tier model. - L1: §2 Compute plane row reframed in tier terms (runc / gVisor / microVM) with forward link to the new §02 "Sandbox tier" sub-section. - L3: §4 multi-tenant invariant rewritten in trust-profile terms — bare runc multi-tenant forbidden; gVisor as v1 default; microVM post-v1. - L4: T0 tier-table label "single-tenant minimal-capability" → "solo / dev / single-operator". - L5, L11, L13, L14: shelf → tier renames in §3, §6, §8, §9, §10, §12 (key custody, audit sink, signer narrative, Open question 4). - L6, L7, L8: §3 actor-table "Optional?" cells use tier names instead of shelf labels. - L9: §6 data-class-gating sentence reframed — trust profile picks the tier; data class still picks BYOK + customer-managed audit sink. AP-13 is the load-bearing forbidder of data-class-driven substrate selection. - L10: §8 table column headers renamed (Solo / dev tier vs Hardened tier and above). - L12: §8.1 signer paragraph renamed to tier vocabulary. last-reviewed bumped to 2026-05-27.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (2)
WalkthroughThis PR establishes a workload-trust-driven sandbox tier selection model replacing prior data-class-driven approaches. It introduces a new Vale enforcement rule for AP-13, defines the workload-trust-profile ladder with tier-to-runtime mapping (runc/gVisor/microVM), and updates trust-boundary documentation and NFRs to reflect tier-appropriate constraints and multi-tenant invariants. ChangesWorkload-Trust Sandbox Tier Model
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.vale/styles/Architecture/ap13-data-class-substrate.yml:
- Around line 1-2: Replace the incorrect SPDX identifier in the header: change
the line that currently reads "# SPDX-License-Identifier: FSL-1.1-Apache-2.0" to
"# SPDX-License-Identifier: BUSL-1.1" while keeping the copyright line "#
Copyright (c) 2025 Open Computer Use Contributors" intact so the file header
conforms to the repository requirement.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 1fa54c61-ee58-416c-9a0b-3e3e11cb5590
📒 Files selected for processing (3)
.vale/styles/Architecture/ap13-data-class-substrate.ymldocs/architecture/02-trust-boundaries.mddocs/architecture/manifesto/02-nfrs.md
| # SPDX-License-Identifier: FSL-1.1-Apache-2.0 | ||
| # Copyright (c) 2025 Open Computer Use Contributors |
There was a problem hiding this comment.
Use the required SPDX identifier for new source files.
This new file uses FSL-1.1-Apache-2.0, but the repository rule for new source files requires BUSL-1.1.
Proposed fix
-# SPDX-License-Identifier: FSL-1.1-Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1
# Copyright (c) 2025 Open Computer Use ContributorsAs per coding guidelines "**/*: All other new source files MUST include SPDX license header: # SPDX-License-Identifier: BUSL-1.1 with # Copyright (c) 2025 Open Computer Use Contributors".
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # SPDX-License-Identifier: FSL-1.1-Apache-2.0 | |
| # Copyright (c) 2025 Open Computer Use Contributors | |
| # SPDX-License-Identifier: BUSL-1.1 | |
| # Copyright (c) 2025 Open Computer Use Contributors |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.vale/styles/Architecture/ap13-data-class-substrate.yml around lines 1 - 2,
Replace the incorrect SPDX identifier in the header: change the line that
currently reads "# SPDX-License-Identifier: FSL-1.1-Apache-2.0" to "#
SPDX-License-Identifier: BUSL-1.1" while keeping the copyright line "# Copyright
(c) 2025 Open Computer Use Contributors" intact so the file header conforms to
the repository requirement.
…-section The "Anthropic Self-Hosted Sandboxes — Cloudflare microVM, Daytona container, Modal gVisor, Vercel container" line was AI-slop preamble citing a competitor product launch as if it justified our design. §02 is a normative NFR catalogue, not a press-release. Evidence stays in the RESEARCH artifact.
…3 invariant Removes self-praise, forward-references, and duplication introduced by the prior commits in this PR: - §02 sub-section gVisor row drops "Production precedent at AI scale: OpenAI, Modal, Anthropic, Google App Engine" — competitor listing in a normative NFR catalogue is marketing, not requirement. - §02 sub-section drops "Honest v1 deployability" header + the re-articulation paragraph (the table already says what the trust profile is and what tier it maps to). - §02 sub-section drops forward references to NFR-SEC-38/39 + AP-13 — reader sees those below; preamble pointing forward is slop. - NFR-SEC-02 drops "Runtime brand pick within a tier is a component-spec decision" — already covered by NFR-FLEX-02. - NFR-SEC-38 / NFR-SEC-39 row cells compressed; same load-bearing content. - AP-13 drops "Enforced at the prose level by a vale rule on ..." — anti-pattern is normative, the implementation note belongs in the vale rule itself. - Layer 3 §2 Compute plane row drops "(see ...)" preamble before the §02 link. - Layer 3 §4 multi-tenant invariant drops v1/post-v1 narrative — that already lives in §02 + §2 zone table.
…unt + INFO F-05 back-link Code-review findings from REVIEW-PR-163-code.md: - F-01 (CRIT): Layer 3 §6 line 110 was internally contradictory — it asserted "CONFIDENTIAL+ workloads require the hardened tier (gVisor)..." (the data-class→tier mapping AP-13 forbids) and immediately added "Tier selection is workload-trust-driven, not data-class-driven (forbidden by AP-13)". Rewritten so data class drives custody / audit sink / residency obligations and trust profile drives the tier. - F-02 (WARN): NFR-SEC-38 admission-matrix count "6 valid v1 + 3 rejected v1" was ambiguous. Now spells out: 6 cells valid by pairing rules (3 require post-v1 microVM); 3 cells rejected by pairing; v1 GA deployable = 3; v1 GA rejected = 6 (3 pairing + 3 microVM-not-shipped). - F-05 (INFO): NFR-SEC-38 had no back-link to AP-13; added one clause.
…rete example Plan-check findings from PLAN-CHECK-PR-163.md: - PC-1 (WARN): Layer 3 §4 multi-tenant invariant lost the direct #161 link in the slop sweep; reader now needs §02→sub-section→#161 (2 hops). Restored one inline [#161]. - PC-2 (WARN): AP-13 example was dropped in the slop sweep; without it the anti-pattern is abstract. Added the minimal concrete form ("NPI → microVM" / "PUBLIC → runc") that names the forbidden phrasing without re-introducing the long description.
… source refs A snapshot image is a verbatim copy of guest RAM + disk, so a secret live at snapshot time is frozen into a file that can be copied and booted where the resume hook never runs. Host-side revocation makes such a token useless but not absent from the image — two different controls the prior text conflated. Flip SEC-44's primacy: the load-bearing, testable control is that no session-scoped secret is present at snapshot-create time (image taken at minimal-init, session material hot-swapped at restore; verified by offline extraction finding none). Resume-side re-auth + VMGenID reseed + N-fork uniqueness become defence-in-depth. Public anchors: Firecracker snapshot docs, VMGenID spec, arXiv 2102.12892, NIST SP 800-190 §4.5. Also fix the SEC-38/SEC-39 Source cells: "this PR" was a placeholder that broke once #163 merged; repoint to #163 (their origin). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* docs(architecture): NFR-SEC-44..60 — close Layer 7 open holes Adds 17 security NFRs adjudicated from the Layer 7 STRIDE residuals (the OPEN holes and the PARTIAL residual tails). Each row is the measurable control for a threat the model left uncovered. Cheap fixes (close a tracked hole with a bounded control): - SEC-44 snapshot-token-exclusion (#184), SEC-45 operator-action-audit (#186), SEC-46 resource-exhaustion-containment (#188), SEC-51 mcp-param-schema, SEC-52 cp-split-reachability, SEC-53 gateway-conn-ceiling. New cross-component controls: - SEC-47 guest-self-audit (#181), SEC-48 trusted-time (#185), SEC-49 per-action-authz (#187), SEC-50 mtls-upstreams (#176), SEC-54 mount-erase-order, SEC-55 killswitch-under-dos, SEC-56 audit-ingest-fairness. Accept-with-tier (a measurable tier target plus a named, formally accepted residual): - SEC-57 egress-exfil-tripwire (#182), SEC-58 side-channel (#183), SEC-59 host-custody-memory (host-foothold only), SEC-60 minimal-storage-floor. Threat-model anchor repointing (the live rows citing "none") lands with the model restructure, not here. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(architecture): NFR review fixes — SEC-44 timing, SEC-45/39 cross-ref, measurability Applies the duplication / contradiction / slop review findings: - SEC-44: the ≤1 min revoke bound applied to all token classes was wrong for the Session JWT (host-side JWT revoke is ≤5 min per SEC-04). Restate: the pre-snapshot JWT is invalid at resume by construction; only the custody/ storage lease carries the ≤1 min (SEC-29) replay bound. - SEC-45 ⊃ SEC-39: add a bidirectional cross-reference so the operator-action audit set and the tier-downgrade alarm do not read as duplicate controls. - SEC-46: bind the "≤10% degradation" target to a named SLI (p99-latency regression vs the NFR-PERF baseline). - SEC-58: drop the "documented in datasheet" clause from the Target (a deliverable, not a measurable bar). - SEC-57: drop "zero reliance on payload inspection" from the Target (a design constraint already stated in the Scenario). - SEC-56 / SEC-49: add one disambiguating clause each (vs SEC-46 data-plane limits; vs SEC-51 structural validation). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(architecture): SEC-44 — clean-before-stop primary; fix SEC-38/39 source refs A snapshot image is a verbatim copy of guest RAM + disk, so a secret live at snapshot time is frozen into a file that can be copied and booted where the resume hook never runs. Host-side revocation makes such a token useless but not absent from the image — two different controls the prior text conflated. Flip SEC-44's primacy: the load-bearing, testable control is that no session-scoped secret is present at snapshot-create time (image taken at minimal-init, session material hot-swapped at restore; verified by offline extraction finding none). Resume-side re-auth + VMGenID reseed + N-fork uniqueness become defence-in-depth. Public anchors: Firecracker snapshot docs, VMGenID spec, arXiv 2102.12892, NIST SP 800-190 §4.5. Also fix the SEC-38/SEC-39 Source cells: "this PR" was a placeholder that broke once #163 merged; repoint to #163 (their origin). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
§02 NFRs and Layer 3 currently claim "microVM-default" while v1 ships only
runc+gVisor. This PR replaces the implicit data-class-gated tier model with an explicit operator-trust-profile ladder, and adds two new NFR rows (NFR-SEC-38, NFR-SEC-39) plus a verification refinement on NFR-SEC-35 that make the new model enforceable at admission and observable on downgrade:trusted_operator) →runc— default; preserves one-click solo install invariant.internal_workforce) →gVisor— v1 hardened default;runcrejected at admission.untrusted) → microVM — post-v1 (#161); v1 GA admission rejects with a pointer to the backlog issue (honest non-deployability).Tech-name leaks (Kata, kata-fc, kata-ch, bare-VM Firecracker, Kata+RKE2) are removed from the catalogue; runtime packaging picks deferred to a future component-spec ADR.
Why now
runcfor an internal-workforce deployment by mistake and the platform happily runs adversarial-prompt-injection workloads on a shared kernel.Changes
manifesto/02-nfrs.mduntrusted= not deployable v1 GA).02-trust-boundaries.md.vale/styles/Architecture/ap13-data-class-substrate.ymlBacklog
Note on a dropped citation
A prior draft cited "USENIX 2023 UDC paper — 36% gVisor CVE rate." The paper title could not be located in USENIX Security '23 proceedings; the 36% figure is not in any verified primary source. The figure is therefore not in §02 prose.
Implementation deferral (load-bearing)
NFR-SEC-38 and NFR-SEC-39 are commitments, not implementations. The admission test fixture (9-cell matrix), the Helm pre-install hook, the audit event emission, and the SOAR webhook integration land when control-plane code exists. This PR is doc-only; the catalogue rows are the contractual baseline future control-plane work must satisfy.
CI gate notes
🤖 Generated with Claude Code
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com
Summary by CodeRabbit