From fe97f577d2954c3d7b24c091787f89e9025c8699 Mon Sep 17 00:00:00 2001 From: raylee-hawkins Date: Sat, 23 May 2026 15:31:25 -0500 Subject: [PATCH] fix: align HO-DET-011 platform runtime readiness packet --- contracts/README.md | 10 ++- ...ctory-controller-v0.ho-det-011.sample.json | 20 ++--- .../ho-det-011-case-packet.sample.json | 37 ++++++-- .../ho-det-011-case-packet.schema.json | 84 +++++++++++++++++-- .../DETECTION_FACTORY_CONTROLLER_V0.md | 10 ++- scripts/ho_factory.py | 20 ++--- scripts/verify-ho-det-011-case-packet.py | 63 ++++++++++++-- 7 files changed, 193 insertions(+), 51 deletions(-) diff --git a/contracts/README.md b/contracts/README.md index ee5cda7..7db7734 100644 --- a/contracts/README.md +++ b/contracts/README.md @@ -75,10 +75,12 @@ Reviewer packets include `gate_summary`, `decision`, and `truth_boundary` fields so reviewers can see the source, validation, platform guardrail, proof record, blocked-claim, and next-legal-move chain without inferring promotion. -`HO-DET-011` currently reports `STATE_DRIFT_REVIEW_REQUIRED` because the -platform case-packet guardrail sample remains pinned to an earlier 6-case shape -while current detection, validation, and proof surfaces record 17 controlled- -test fixtures. v0 reports that drift; it does not repair it. +`HO-DET-011` now aligns the platform case-packet guardrail sample, schema, +verifier, and factory status with the current 17 controlled-test fixture +validation shape. The update is non-promotional: proof ceiling remains +`CONTROLLED_TEST_VALIDATED`, public-safe status remains `NOT_PUBLIC_SAFE`, and +runtime-active, signal-observed, public-safe runtime, production, and AI +authority claims remain blocked. `ID-DET-002`, `ID-DET-003`, and `ID-DET-004` are validation-backed platform visibility packets after `hawkinsoperations-validation` PR #46. They report diff --git a/contracts/examples/detection-factory-controller-v0.ho-det-011.sample.json b/contracts/examples/detection-factory-controller-v0.ho-det-011.sample.json index 035b788..8c60c8f 100644 --- a/contracts/examples/detection-factory-controller-v0.ho-det-011.sample.json +++ b/contracts/examples/detection-factory-controller-v0.ho-det-011.sample.json @@ -31,7 +31,7 @@ }, { "gate": "platform_guardrail", - "status": "STATE_DRIFT_REVIEW_REQUIRED", + "status": "SATISFIED_NON_PROMOTIONAL_BOUNDARY", "owner_repo": "hawkinsoperations-platform", "claim": "platform guardrail reported", "promotion_allowed": false @@ -54,21 +54,21 @@ "gate": "next_legal_move", "status": "REVIEW_REQUIRED", "owner_repo": "hawkinsoperations-platform", - "claim": "Review platform drift before any guardrail update; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", + "claim": "Platform guardrail drift is resolved for the 17-case controlled validation shape; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", "promotion_allowed": false } ], "decision": { - "status": "DRIFT_REVIEW_REQUIRED", + "status": "READY_FOR_REVIEW", "merge_recommendation": "REVIEW_REQUIRED", "proof_promotion_allowed": false, "public_rendering_allowed": false, - "reason": "Platform guardrail remains pinned to an earlier 6-case shape while current validation, proof, and detection surfaces record 17 controlled-test fixtures." + "reason": "Platform guardrail matches the current 17-case controlled validation shape while preserving proof, runtime, signal, public-safe, and AI authority boundaries." }, "truth_boundary": { "source_truth": "reported", "validation_truth": "controlled-test validated", - "platform_truth": "controller reported drift review required", + "platform_truth": "case-packet guardrail aligned to current controlled validation state", "proof_truth": "private runtime evidence state reported", "runtime_truth": "not public proven", "signal_truth": "not public proven", @@ -145,7 +145,7 @@ "website_proof_claim_allowed": false, "claim_boundary": "Platform reports proof-index status metadata only. Proof truth remains owned by hawkinsoperations-proof, and this visibility field does not promote proof, runtime, signal, public-safe, or website status." }, - "platform_guardrail_status": "STATE_DRIFT_REVIEW_REQUIRED", + "platform_guardrail_status": "SATISFIED_NON_PROMOTIONAL_BOUNDARY", "blocked_claims": [ "runtime-active", "signal-observed", @@ -171,17 +171,17 @@ "HO-DET-011 has sanitized private local Windows runtime evidence captured for one controlled service-creation test.", "HO-DET-011 is capped at PRIVATE_RUNTIME_EVIDENCE_CAPTURED for private evidence and NOT_PUBLIC_SAFE for public use." ], - "next_allowed_move": "Review platform drift before any guardrail update; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", + "next_allowed_move": "Platform guardrail drift is resolved for the 17-case controlled validation shape; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", "stop_conditions": [ - "Do not repair the 6-case platform guardrail in v0.", "Do not promote proof.", + "Do not edit proof, website, detection, validation, workflow, dependency, evidence, or runtime files.", "Do not claim public-safe status.", "Do not claim runtime-active or signal-observed public proof.", "Do not create generated output files." ], "state_consistency": [ - "STATE_DRIFT_REVIEW_REQUIRED", - "Platform sample and verifier remain pinned to an earlier 6-case guardrail while current validation, proof, and detection facts record 17 controlled-test fixtures." + "STATE_CONSISTENT_WITH_17_CASE_VALIDATION", + "Platform sample, schema, verifier, and factory status align to the current 17 controlled-test fixtures without promoting proof, runtime-active, signal-observed, or public-safe claims." ], "does_not_prove": [ "runtime activity", diff --git a/contracts/examples/ho-det-011-case-packet.sample.json b/contracts/examples/ho-det-011-case-packet.sample.json index ee1399b..6b9c19f 100644 --- a/contracts/examples/ho-det-011-case-packet.sample.json +++ b/contracts/examples/ho-det-011-case-packet.sample.json @@ -7,8 +7,8 @@ "promotion_status": "BLOCKED", "validation_result_ref": "hawkinsoperations-validation/reports/ho-det-011/validation-result.json", "validation_cases_ref": "hawkinsoperations-validation/validation/successor/ho-det-011/validation-cases.json", - "validation_pr": "HawkinsOperations/hawkinsoperations-validation#25", - "validation_merge_commit": "4c4bf5a", + "validation_pr": "HawkinsOperations/hawkinsoperations-validation#26", + "validation_merge_commit": "4df879ea7b3c4dc8d564596accc2f66a87ede6a6", "validation_status": "pass", "controlled_test_validation": true, "exact_claim_supported": "HO-DET-011 passed controlled-test validation against controlled Windows service creation fixtures.", @@ -28,18 +28,32 @@ "ai_may_promote": false, "ai_may_close": false, "human_review_required": true, + "runtime_readiness_truth": { + "source_truth": "SOURCE_EXISTS", + "validation_truth": "CONTROLLED_TEST_VALIDATED", + "platform_truth": "CASE_PACKET_ALIGNED_TO_17_CASE_VALIDATION", + "proof_truth": "PRIVATE_RUNTIME_EVIDENCE_CAPTURED_NOT_PROMOTED", + "runtime_truth": "PUBLIC_RUNTIME_BLOCKED", + "signal_truth": "SIGNAL_NOT_OBSERVED_PUBLIC_OR_ROUTED", + "evidence_truth": "NO_RAW_PRIVATE_EVIDENCE_IN_PLATFORM_PACKET", + "ai_triage_truth": "AI_SUPPORT_ONLY_NOT_AUTHORITY", + "public_proof_truth": "NOT_PUBLIC_SAFE", + "human_review_truth": "HUMAN_REVIEW_REQUIRED" + }, "telemetry_boundary": { "event_7045": "Windows System / Service Control Manager service-install telemetry", "event_4697": "Windows Security service installation auditing where available", "event_1": "Sysmon process creation context where available" }, "validation_counts": { - "total_cases": 6, - "positive_cases": 3, - "negative_cases": 3, - "pass": 6, + "total_cases": 17, + "positive_cases": 7, + "negative_cases": 10, + "pass": 17, "fail": 0, - "matched_positive_count": 3 + "matched_positive_count": 7, + "missed_positive_count": 0, + "false_positive_negative_count": 0 }, "allowed_claims": [ "HO-DET-011 source artifacts exist in the detections repository.", @@ -52,15 +66,24 @@ "signal-observed", "public-safe", "evidence-linked public proof", + "public-safe runtime proof", + "Splunk-fired", "live Splunk fired", "Wazuh-routed", "Cribl-routed", + "Security Onion observed", + "Suricata observed", + "Zeek observed", "AWS-live", "production-ready", + "production triage", "fleet-wide", + "autonomous SOC", "service-creation coverage completeness", + "attack coverage completeness", "AI-decided disposition", "AI-approved disposition", + "analyst-approved disposition", "AI-closed disposition" ], "privacy_boundary": { diff --git a/contracts/schemas/ho-det-011-case-packet.schema.json b/contracts/schemas/ho-det-011-case-packet.schema.json index 531d0e4..fe00f71 100644 --- a/contracts/schemas/ho-det-011-case-packet.schema.json +++ b/contracts/schemas/ho-det-011-case-packet.schema.json @@ -34,6 +34,7 @@ "ai_may_promote", "ai_may_close", "human_review_required", + "runtime_readiness_truth", "telemetry_boundary", "validation_counts", "allowed_claims", @@ -67,10 +68,10 @@ "const": "hawkinsoperations-validation/validation/successor/ho-det-011/validation-cases.json" }, "validation_pr": { - "const": "HawkinsOperations/hawkinsoperations-validation#25" + "const": "HawkinsOperations/hawkinsoperations-validation#26" }, "validation_merge_commit": { - "const": "4c4bf5a" + "const": "4df879ea7b3c4dc8d564596accc2f66a87ede6a6" }, "validation_status": { "const": "pass" @@ -146,6 +147,54 @@ "type": "boolean", "const": true }, + "runtime_readiness_truth": { + "type": "object", + "additionalProperties": false, + "required": [ + "source_truth", + "validation_truth", + "platform_truth", + "proof_truth", + "runtime_truth", + "signal_truth", + "evidence_truth", + "ai_triage_truth", + "public_proof_truth", + "human_review_truth" + ], + "properties": { + "source_truth": { + "const": "SOURCE_EXISTS" + }, + "validation_truth": { + "const": "CONTROLLED_TEST_VALIDATED" + }, + "platform_truth": { + "const": "CASE_PACKET_ALIGNED_TO_17_CASE_VALIDATION" + }, + "proof_truth": { + "const": "PRIVATE_RUNTIME_EVIDENCE_CAPTURED_NOT_PROMOTED" + }, + "runtime_truth": { + "const": "PUBLIC_RUNTIME_BLOCKED" + }, + "signal_truth": { + "const": "SIGNAL_NOT_OBSERVED_PUBLIC_OR_ROUTED" + }, + "evidence_truth": { + "const": "NO_RAW_PRIVATE_EVIDENCE_IN_PLATFORM_PACKET" + }, + "ai_triage_truth": { + "const": "AI_SUPPORT_ONLY_NOT_AUTHORITY" + }, + "public_proof_truth": { + "const": "NOT_PUBLIC_SAFE" + }, + "human_review_truth": { + "const": "HUMAN_REVIEW_REQUIRED" + } + } + }, "telemetry_boundary": { "type": "object", "additionalProperties": false, @@ -175,26 +224,34 @@ "negative_cases", "pass", "fail", - "matched_positive_count" + "matched_positive_count", + "missed_positive_count", + "false_positive_negative_count" ], "properties": { "total_cases": { - "const": 6 + "const": 17 }, "positive_cases": { - "const": 3 + "const": 7 }, "negative_cases": { - "const": 3 + "const": 10 }, "pass": { - "const": 6 + "const": 17 }, "fail": { "const": 0 }, "matched_positive_count": { - "const": 3 + "const": 7 + }, + "missed_positive_count": { + "const": 0 + }, + "false_positive_negative_count": { + "const": 0 } } }, @@ -213,7 +270,7 @@ }, "blocked_claims": { "type": "array", - "minItems": 14, + "minItems": 22, "uniqueItems": true, "items": { "enum": [ @@ -221,15 +278,24 @@ "signal-observed", "public-safe", "evidence-linked public proof", + "public-safe runtime proof", + "Splunk-fired", "live Splunk fired", "Wazuh-routed", "Cribl-routed", + "Security Onion observed", + "Suricata observed", + "Zeek observed", "AWS-live", "production-ready", + "production triage", "fleet-wide", + "autonomous SOC", "service-creation coverage completeness", + "attack coverage completeness", "AI-decided disposition", "AI-approved disposition", + "analyst-approved disposition", "AI-closed disposition" ] } diff --git a/docs/factory/DETECTION_FACTORY_CONTROLLER_V0.md b/docs/factory/DETECTION_FACTORY_CONTROLLER_V0.md index 3e86ea8..2e8fd1f 100644 --- a/docs/factory/DETECTION_FACTORY_CONTROLLER_V0.md +++ b/docs/factory/DETECTION_FACTORY_CONTROLLER_V0.md @@ -105,10 +105,12 @@ ceilings. Private runtime boundary values may be reported only as proof-index visibility metadata and only where the existing proof record supports that private boundary status. -The existing platform `HO-DET-011` case-packet guardrail is pinned to an older -6-case sample. Current detection, validation, and proof surfaces record 17 -controlled-test fixtures. v0 must not repair that drift. It must report -`STATE_DRIFT_REVIEW_REQUIRED` in `state_consistency`. +The platform `HO-DET-011` case-packet guardrail is aligned to the current 17 +controlled-test fixture validation shape. v0 must keep that alignment +non-promotional: the proof ceiling remains `CONTROLLED_TEST_VALIDATED`, public- +safe status remains `NOT_PUBLIC_SAFE`, runtime-active and public/routed +signal-observed claims remain blocked, and AI remains support-only rather than +approval authority. `HO-DET-012` must report `CONTROLLED_TEST_VALIDATED` for controlled scheduled task creation and update fixtures only. It has no proof record in v0, no diff --git a/scripts/ho_factory.py b/scripts/ho_factory.py index f256dd0..a1b9eaa 100644 --- a/scripts/ho_factory.py +++ b/scripts/ho_factory.py @@ -1463,7 +1463,7 @@ def runtime_review_self_tests() -> dict[str, Any]: public_proof_ceiling="CONTROLLED_TEST_VALIDATED", private_evidence_state="PRIVATE_RUNTIME_EVIDENCE_CAPTURED", public_safe_status="NOT_PUBLIC_SAFE", - platform_guardrail_status="STATE_DRIFT_REVIEW_REQUIRED", + platform_guardrail_status="SATISFIED_NON_PROMOTIONAL_BOUNDARY", validation_result="hawkinsoperations-validation/reports/ho-det-011/validation-result.json", validation_expected={ "total_cases": 17, @@ -1477,7 +1477,7 @@ def runtime_review_self_tests() -> dict[str, Any]: proof_card=None, proof_state="PRIVATE_RUNTIME_EVIDENCE_CAPTURED", platform_sample="hawkinsoperations-platform/contracts/examples/ho-det-011-case-packet.sample.json", - platform_sample_expected_total=6, + platform_sample_expected_total=17, required_blocked_claims=( *COMMON_BLOCKED, "evidence-linked public proof", @@ -1496,28 +1496,28 @@ def runtime_review_self_tests() -> dict[str, Any]: "HO-DET-011 has sanitized private local Windows runtime evidence captured for one controlled service-creation test.", "HO-DET-011 is capped at PRIVATE_RUNTIME_EVIDENCE_CAPTURED for private evidence and NOT_PUBLIC_SAFE for public use.", ), - next_allowed_move="Review platform drift before any guardrail update; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", - decision_status="DRIFT_REVIEW_REQUIRED", - decision_reason="Platform guardrail remains pinned to an earlier 6-case shape while current validation, proof, and detection surfaces record 17 controlled-test fixtures.", + next_allowed_move="Platform guardrail drift is resolved for the 17-case controlled validation shape; routed telemetry or public-safe wording remains blocked until separate evidence linkage, redaction review, stale review, wording review, and Raylee approval.", + decision_status="READY_FOR_REVIEW", + decision_reason="Platform guardrail matches the current 17-case controlled validation shape while preserving proof, runtime, signal, public-safe, and AI authority boundaries.", truth_boundary={ "source_truth": "reported", "validation_truth": "controlled-test validated", - "platform_truth": "controller reported drift review required", + "platform_truth": "case-packet guardrail aligned to current controlled validation state", "proof_truth": "private runtime evidence state reported", "runtime_truth": "not public proven", "signal_truth": "not public proven", "public_proof": "not public safe", }, stop_conditions=( - "Do not repair the 6-case platform guardrail in v0.", "Do not promote proof.", + "Do not edit proof, website, detection, validation, workflow, dependency, evidence, or runtime files.", "Do not claim public-safe status.", "Do not claim runtime-active or signal-observed public proof.", "Do not create generated output files.", ), state_consistency=( - "STATE_DRIFT_REVIEW_REQUIRED", - "Platform sample and verifier remain pinned to an earlier 6-case guardrail while current validation, proof, and detection facts record 17 controlled-test fixtures.", + "STATE_CONSISTENT_WITH_17_CASE_VALIDATION", + "Platform sample, schema, verifier, and factory status align to the current 17 controlled-test fixtures without promoting proof, runtime-active, signal-observed, or public-safe claims.", ), does_not_prove=( "runtime activity", @@ -1924,7 +1924,7 @@ def platform_sample_claims(spec: DetectionSpec, sample: dict[str, Any]) -> list[ total = counts.get("total_cases") if total != spec.platform_sample_expected_total: raise FactoryError( - f"{spec.platform_sample} expected historical total_cases {spec.platform_sample_expected_total}, got {total}" + f"{spec.platform_sample} expected total_cases {spec.platform_sample_expected_total}, got {total}" ) require_blocked_claims(sample.get("blocked_claims"), PLATFORM_SAMPLE_BLOCKED, spec.platform_sample) diff --git a/scripts/verify-ho-det-011-case-packet.py b/scripts/verify-ho-det-011-case-packet.py index cd6cb56..92c6758 100644 --- a/scripts/verify-ho-det-011-case-packet.py +++ b/scripts/verify-ho-det-011-case-packet.py @@ -20,8 +20,8 @@ "promotion_status": "BLOCKED", "validation_result_ref": "hawkinsoperations-validation/reports/ho-det-011/validation-result.json", "validation_cases_ref": "hawkinsoperations-validation/validation/successor/ho-det-011/validation-cases.json", - "validation_pr": "HawkinsOperations/hawkinsoperations-validation#25", - "validation_merge_commit": "4c4bf5a", + "validation_pr": "HawkinsOperations/hawkinsoperations-validation#26", + "validation_merge_commit": "4df879ea7b3c4dc8d564596accc2f66a87ede6a6", "validation_status": "pass", "controlled_test_validation": True, "runtime_active": False, @@ -43,12 +43,27 @@ } EXPECTED_COUNTS = { - "total_cases": 6, - "positive_cases": 3, - "negative_cases": 3, - "pass": 6, + "total_cases": 17, + "positive_cases": 7, + "negative_cases": 10, + "pass": 17, "fail": 0, - "matched_positive_count": 3, + "matched_positive_count": 7, + "missed_positive_count": 0, + "false_positive_negative_count": 0, +} + +EXPECTED_RUNTIME_READINESS_TRUTH = { + "source_truth": "SOURCE_EXISTS", + "validation_truth": "CONTROLLED_TEST_VALIDATED", + "platform_truth": "CASE_PACKET_ALIGNED_TO_17_CASE_VALIDATION", + "proof_truth": "PRIVATE_RUNTIME_EVIDENCE_CAPTURED_NOT_PROMOTED", + "runtime_truth": "PUBLIC_RUNTIME_BLOCKED", + "signal_truth": "SIGNAL_NOT_OBSERVED_PUBLIC_OR_ROUTED", + "evidence_truth": "NO_RAW_PRIVATE_EVIDENCE_IN_PLATFORM_PACKET", + "ai_triage_truth": "AI_SUPPORT_ONLY_NOT_AUTHORITY", + "public_proof_truth": "NOT_PUBLIC_SAFE", + "human_review_truth": "HUMAN_REVIEW_REQUIRED", } REQUIRED_BLOCKED_CLAIMS = { @@ -56,15 +71,24 @@ "signal-observed", "public-safe", "evidence-linked public proof", + "public-safe runtime proof", + "Splunk-fired", "live Splunk fired", "Wazuh-routed", "Cribl-routed", + "Security Onion observed", + "Suricata observed", + "Zeek observed", "AWS-live", "production-ready", + "production triage", "fleet-wide", + "autonomous SOC", "service-creation coverage completeness", + "attack coverage completeness", "AI-decided disposition", "AI-approved disposition", + "analyst-approved disposition", "AI-closed disposition", } @@ -73,16 +97,25 @@ r"signal[-\s]+observed", r"public[-\s]+safe", r"evidence[-\s]+linked\s+public\s+proof", + r"public[-\s]+safe\s+runtime\s+proof", + r"splunk[-\s]+fired", r"live\s+splunk\s+fired", r"wazuh[-\s]+routed", r"cribl[-\s]+routed", + r"security\s+onion\s+observed", + r"suricata\s+observed", + r"zeek\s+observed", r"aws[-\s]+live", r"production[-\s]+ready", + r"production\s+triage", r"fleet[-\s]+wide", + r"autonomous\s+soc", r"service[-\s]+creation\s+coverage\s+complet", + r"attack\s+coverage\s+complet", r"ai[-\s]+decided", r"ai[-\s]+approved", r"ai[-\s]+closed", + r"analyst[-\s]+approved", ] PRIVATE_LEAK_PATTERNS = [ @@ -186,6 +219,21 @@ def require_validation_counts(sample: dict) -> None: fail(f"validation_counts.{key} expected {expected!r}, got {actual!r}") +def require_runtime_readiness_truth(sample: dict) -> None: + truth = sample.get("runtime_readiness_truth") + if not isinstance(truth, dict): + fail("runtime_readiness_truth must be an object") + + extra = sorted(set(truth) - set(EXPECTED_RUNTIME_READINESS_TRUTH)) + if extra: + fail(f"runtime_readiness_truth has extra keys: {', '.join(extra)}") + + for key, expected in EXPECTED_RUNTIME_READINESS_TRUTH.items(): + actual = truth.get(key) + if actual != expected: + fail(f"runtime_readiness_truth.{key} expected {expected!r}, got {actual!r}") + + def require_privacy_boundary(sample: dict) -> None: boundary = sample.get("privacy_boundary") if not isinstance(boundary, dict): @@ -248,6 +296,7 @@ def main() -> int: validate_schema_if_possible(sample, schema) require_expected_values(sample) require_validation_counts(sample) + require_runtime_readiness_truth(sample) require_privacy_boundary(sample) require_blocked_claim_inventory(sample) reject_promoted_allowed_claims(sample)