AOS Constitutional Gate — Threat Model v1.0

Universal Bypass via run_command

run_command in allowlist without restrictions. Agent could execute arbitrary shell commands.

Fix: Moved to require human approval; sandboxed execution; removed network; read-only /brain paths.

Missing Scope Enforcement

Policy defined path allowlists but enforcement code didn't check them.

Fix: Implemented validateAndCanonicalizePath(); denylist-first, allowlist match required.

Fail-Open Exception Handling

Try/catch blocks had empty catches or logged without denying.

Fix: All exception handlers fail-closed; throw errors; top-level → DENY.

No Attestation Requirement

Executors didn't require attestations. No cryptographic proof of validation.

Fix: Executors refuse without valid attestation; attestation binds to call ID, args hash, policy hash.

Missing Resource Budgets

No limits on tool call frequency or data volume.

Fix: Per-tool and global budgets; checked before execution; DENY if exceeded.

No Category Checking

Could violate humanitarian license.

Fix: Added prohibited category classifier.

Missing Approval Mechanism

No human-in-the-loop.

Fix: Implemented out-of-band approval service.

No Journal Logging

No audit trail.

Fix: Created chained, signed journal entries.

No Startup Validation

Broken config could be loaded.

Fix: Startup self-tests with fail-closed behavior.

Tool Name Mismatch

Policy used git.commit but executor registered as git_commit.

Fix: Unified naming; startup validation; unknown tools → DENY.

Path Traversal Vectors

Multiple bypass routes: ../, %2e%2e%2f, relative traversal.

Fix: Full path canonicalization via path.resolve(); check canonical path against allowlist.

Symlink Escape

Agent could create symlink in allowed path pointing to protected path.

Fix: O_NOFOLLOW flag; low-level fs.open(); verify fd path matches requested.

Hardlink Duplication

Agent could hardlink protected file into allowed path.

Fix: Check nlink count; nlink > 1 → deny overwrite; O_EXCL on creation.

TOCTOU on Approval Tokens

Agent could change args after approval but before execution.

Fix: Approval token binds to args hash; gate recomputes and verifies at execution.

Sandbox Network Access

Sandbox had network namespace, allowing data exfiltration.

Fix: Removed network namespace entirely; no external communication possible.

Sandbox Write Paths

Sandbox mounted /brain/now as read-write.

Fix: All /brain paths read-only; ephemeral /workspace/tmp for output.

Network Redirect Escape

Allowed domain could redirect to forbidden domain.

Fix: Manual redirect following; recheck each hop against allowlist.

O_NOFOLLOW Not Enforced in Node.js

Node.js fs.writeFile() doesn't support O_NOFOLLOW directly.

Fix: Low-level fs.open() with explicit flags; verify with /proc/self/fd/<fd>.

Args Hash Ordering Dependency

SHA-256 of JSON.stringify depends on key order.

Fix: RFC 8785 JSON Canonicalization Scheme; recursive key sorting.

Seccomp Profile Contradictions

Blocked execve but allowed run_command.

Fix: Updated seccomp profile; rely on cgroups for resource limits.

Append-Only Timing Issue

chattr +a applied after creation, leaving race window.

Fix: Set append-only immediately at creation; no mutable window.

DNS Rebinding Attack

Attacker-controlled DNS could rebind to private IP.

Fix: Resolve DNS, pin to resolved IP, connect to pinned IP.

IPC Framing Assumptions

Socket handler assumed one data event = one complete JSON message.

Fix: Length-prefixed protocol; buffer incomplete messages.

Trust Boundary Confusion

Documentation unclear if agent trusted or not.

Fix: Clarified: agent CAN connect, CANNOT bypass; SO_PEERCRED verification.

Auth Token Missing Attestation Binding

Token bound to toolName + argsHash only, not full decision.

Fix: Bind to complete attestation including policyHash, anchorCommit.

Platform-Specific Code Without Fallback

/proc/self/fd/ check is Linux-specific.

Fix: Document Linux requirement; startup self-test; fail closed.

Append-Only FS Assumptions

chattr +a requires ext4/btrfs; fails silently on other FS.

Fix: Startup verification test; create, set +a, verify with lsattr.

Seccomp+Cgroups Strategy Unclear

Unclear if relying on seccomp or cgroups for process limits.

Fix: Clarified: cgroups for resources, seccomp for privileges, AppArmor for access.

Single-Shot Ambiguity

Unclear how to handle ambiguous requests.

Fix: If unclear → DENY with reason; human can approve.

SO_PEERCRED Model Inconsistency

Socket perms + UID check inconsistent with stated trust boundary.

Fix: Clarified agent CAN connect, SO_PEERCRED verifies UID is aos-agent.

Approver Public Key in Token

Token included approver public key — attacker could forge with own key.

Fix: Approver keys in gate-owned registry; token only includes approverId.

Nonce Replay After Restart

Nonces in-memory only; gate restart cleared the Set.

Fix: Durable nonce storage in /var/lib/aos-gate/nonces/; survives restart.

Signature Format Ambiguity

Unclear if signing hex string or raw bytes.

Fix: Standardized AOS-SIG-v1 format; sign raw SHA-256 bytes.

SO_PEERCRED Unimplemented

Code showed placeholder require("getsockopt").

Fix: Use unix-socket-credentials npm package; real implementation.

Approver Registry Integrity

Registry needed integrity protection.

Fix: Registry includes self-hash; signed by root key; verified on load.

RFC 8785 Canonicalization Unverified

Claimed RFC 8785 compliance but no test vectors.

Fix: Added RFC 8785 test vectors; run at startup; fail closed if broken.