The recent fix stopped the key leaking into child tools, but the orchestrator process still holds the signing key while it spawns offensive tools.
Short term: enforce SECURITY.md's own guidance in code — refuse to start if the audit key path is owned by the same uid as the runner or has loose perms (fail-to-start, don't bypass).
Longer term: a small out-of-band signer the orchestrator sends entries to but never holds the key for.
Best practice: "the agent never touches the signing keys" — ROE Gate (reference-monitor pattern, Anderson 1972); "the key sits outside the log volume so an attacker who can write the log can't read or rotate it" — bernstein audit-log ops doc.
Tracked from aegis/docs/NEXT_STEPS.md (P1.4).
The recent fix stopped the key leaking into child tools, but the orchestrator process still holds the signing key while it spawns offensive tools.
Short term: enforce
SECURITY.md's own guidance in code — refuse to start if the audit key path is owned by the same uid as the runner or has loose perms (fail-to-start, don't bypass).Longer term: a small out-of-band signer the orchestrator sends entries to but never holds the key for.
Best practice: "the agent never touches the signing keys" — ROE Gate (reference-monitor pattern, Anderson 1972); "the key sits outside the log volume so an attacker who can write the log can't read or rotate it" —
bernsteinaudit-log ops doc.Tracked from
aegis/docs/NEXT_STEPS.md(P1.4).