@xshieldai/agent-kernel 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/LICENSE +31 -0
  2. package/README.md +130 -0
  3. package/bin/kavachos +5 -0
  4. package/dist/apply-seccomp.py +625 -0
  5. package/dist/cgroup-egress.py +432 -0
  6. package/dist/kavachos.js +2687 -0
  7. package/package.json +52 -0
package/LICENSE ADDED
@@ -0,0 +1,31 @@
1
+ GNU AFFERO GENERAL PUBLIC LICENSE
2
+ Version 3, 19 November 2007
3
+
4
+ Copyright (C) 2026 ANKR Labs / Capt. Anil Sharma
5
+
6
+ This program is free software: you can redistribute it and/or modify
7
+ it under the terms of the GNU Affero General Public License as published by
8
+ the Free Software Foundation, either version 3 of the License, or
9
+ (at your option) any later version.
10
+
11
+ This program is distributed in the hope that it will be useful,
12
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
13
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
+ GNU Affero General Public License for more details.
15
+
16
+ You should have received a copy of the GNU Affero General Public License
17
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
18
+
19
+ ---
20
+
21
+ The full text of the GNU Affero General Public License v3 is available at:
22
+ https://www.gnu.org/licenses/agpl-3.0.txt
23
+
24
+ ADDITIONAL TERMS (permitted under AGPL §7):
25
+
26
+ If you run a modified version of this software as a network service,
27
+ you must make the complete source code of the modified version available
28
+ to all users of that service under the terms of this license.
29
+
30
+ Commercial use, including SaaS deployments and enterprise integrations,
31
+ requires a separate commercial license. Contact: captain@ankr.in
package/README.md ADDED
@@ -0,0 +1,130 @@
1
+ # @rocketlang/kavachos
2
+
3
+ **KavachOS** — seccomp-bpf + Falco kernel enforcement for AI agents.
4
+
5
+ Part of the **xShieldAI Posture Suite** · [kavachos.xshieldai.com](https://kavachos.xshieldai.com)
6
+
7
+ [![License: AGPL-3.0](https://img.shields.io/badge/License-AGPL%203.0-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)
8
+ [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.19908430.svg)](https://doi.org/10.5281/zenodo.19908430)
9
+
10
+ ---
11
+
12
+ ## What it does
13
+
14
+ KavachOS wraps every AI agent in a seccomp-bpf kernel filter. The agent can only make the syscalls its trust level permits — nothing else reaches the kernel.
15
+
16
+ - **seccomp-bpf profiles** generated deterministically from a `trust_mask` integer
17
+ - **cgroup BPF egress firewall** — per-session network allowlist enforced at the kernel connect4/connect6 hook; unlisted destinations get `EPERM` before the socket is established
18
+ - **Falco rules** generated per domain (maritime, logistics, OT, finance, general)
19
+ - **PRAMANA receipt chain** — every violation is SHA-256 sealed and chained
20
+ - **Gate valve** — automatic escalation: THROTTLE → CRACK → LOCK on repeated violations
21
+ - **CLI** — `kavachos run`, `kavachos profile show`, `kavachos audit`, `kavachos init`
22
+
23
+ ```
24
+ defaultAction: SCMP_ACT_ERRNO ← blocked syscall returns EPERM, never panics kernel
25
+ exit_group + futex + rt_sigreturn always allowed ← no-freeze guarantee
26
+ ```
27
+
28
+ ---
29
+
30
+ ## The AEGIS / KavachOS / PRAMANA stack
31
+
32
+ Three layers. One coherent governance stack for agentic AI.
33
+
34
+ | Layer | Package | What it governs |
35
+ |-------|---------|-----------------|
36
+ | **AEGIS** | [`@rocketlang/aegis`](https://www.npmjs.com/package/@rocketlang/aegis) | Agent **spend** — budget caps, spawn governance, cross-surface usage visibility, kill-switches |
37
+ | **KavachOS** | `@rocketlang/kavachos` (this package) | Agent **behavior** — syscall mediation, exec allowlist, egress firewall, sandboxed runtime |
38
+ | **PRAMANA** | DOI [10.5281/zenodo.19273330](https://doi.org/10.5281/zenodo.19273330) | Cryptographic **attestation** — tamper-evident chain of every decision either layer made |
39
+
40
+ AEGIS governs what the agent spends. KavachOS governs what the agent does. PRAMANA proves what happened.
41
+
42
+ For EU AI Act Article 14 (human oversight): PRAMANA alone is just logging — it proves what happened but doesn't prevent the next bad thing. KavachOS alone is just enforcement — it gates behavior but leaves no verifiable trail. Together: the human can override (HITL gate), and the override is recorded in a tamper-evident chain. KavachOS is the airbag. PRAMANA is the black box. Article 14 requires both.
43
+
44
+ ---
45
+
46
+ ## Install
47
+
48
+ ```bash
49
+ npm install -g @rocketlang/kavachos
50
+ # or
51
+ bun add -g @rocketlang/kavachos
52
+ ```
53
+
54
+ Requires: **Bun ≥ 1.0**, **Linux x86_64**, kernel ≥ 3.5 (seccomp-bpf), kernel ≥ 5.8 for Falco modern-bpf.
55
+
56
+ ---
57
+
58
+ ## Quick start
59
+
60
+ ```bash
61
+ # Initialize project config
62
+ kavachos init --domain=general --trust-mask=0xFF
63
+
64
+ # Run any agent under kernel enforcement
65
+ kavachos run claude --trust-mask=0xFF --domain=general --verbose
66
+
67
+ # Run a Bun script with maritime domain rules
68
+ kavachos run bun src/my-agent.ts --trust-mask=0x00FF0000 --domain=maritime --falco
69
+
70
+ # Inspect profile + gate valve state
71
+ kavachos profile show
72
+
73
+ # Audit the receipt chain
74
+ kavachos audit --all
75
+ ```
76
+
77
+ ---
78
+
79
+ ## Commands
80
+
81
+ | Command | Description |
82
+ |---------|-------------|
83
+ | `kavachos run <binary> [args]` | Launch agent under seccomp-bpf governance |
84
+ | `kavachos generate` | Generate profile + Falco rules (no exec) |
85
+ | `kavachos profile show [agent-id]` | Show active profile + gate valve state |
86
+ | `kavachos audit [session-id\|--all]` | Verify PRAMANA receipt chain |
87
+ | `kavachos rules` | Print domain-specific Falco rules |
88
+ | `kavachos init` | Write `.kavachos.json` in project root |
89
+
90
+ ---
91
+
92
+ ## trust_mask
93
+
94
+ Each bit unlocks a syscall group. `trust_mask=0` → read-only minimal profile.
95
+
96
+ ```
97
+ Bits 0-7 Infrastructure: auth | rbac | events | db | notification | cache | registered | forja
98
+ Bits 8-15 Intelligence: llm | knowledge | domain_rules | memory | search | packages | swarm | codegen
99
+ ```
100
+
101
+ ```bash
102
+ kavachos generate --trust-mask=0xFF --domain=maritime --json
103
+ ```
104
+
105
+ ---
106
+
107
+ ## Domain profiles
108
+
109
+ | Domain | Extra rules |
110
+ |--------|-------------|
111
+ | `general` | Baseline only |
112
+ | `maritime` | NMEA serial ops, AIS monitoring |
113
+ | `logistics` | EDI file processing |
114
+ | `ot` | Modbus TCP, realtime scheduling |
115
+ | `finance` | HSM / hardware key ops |
116
+
117
+ ---
118
+
119
+ ## License
120
+
121
+ AGPL-3.0 — kernel enforcement layer is open. You can audit what runs next to your production agents.
122
+
123
+ Enterprise Edition (multi-tenant, HanumanG EE, Merkle ledger, EU AI Act evidence): [xshieldai.com](https://xshieldai.com)
124
+
125
+ ---
126
+
127
+ ## Papers
128
+
129
+ - KavachOS Protocol: [10.5281/zenodo.19908430](https://doi.org/10.5281/zenodo.19908430)
130
+ - PRAMANA Receipt Chain: [10.5281/zenodo.19273330](https://doi.org/10.5281/zenodo.19273330)
package/bin/kavachos ADDED
@@ -0,0 +1,5 @@
1
+ #!/usr/bin/env bun
2
+ // SPDX-License-Identifier: AGPL-3.0-only
3
+ // KavachOS CLI — @rocketlang/kavachos v2.0.0
4
+ // Part of the xShieldAI Posture Suite · kavachos.xshieldai.com
5
+ import(new URL("../dist/kavachos.js", import.meta.url).pathname);