community
/
idea138-guardrailops-federated-verifiable
17
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
idea138-guardrailops-federa.../docs/mvp_spec.md

44 lines
2.5 KiB
Markdown
Raw Blame History

Two-Adapter MVP Spec (SIEM + EDR)
================================
Goal
- Provide a toy, production-ready skeleton that demonstrates GuardRailOps interoperability between twoAdapters: a SIEM adapter and an EDR adapter. The MVP runs over TLS-like mutual authentication and supports offline-first delta propagation with deterministic replay.
Architecture Highlights
- Protocol skeleton: lightweight messaging between IR orchestrator and adapters using a minimal, vendor-agnostic contract model.
- GoC primitives:
- LocalIRTask: per-service detection/containment objectives
- SharedTelemetry: privacy-preserving signals shared across domains
- PlanDelta: incremental containment/execution actions with timestamp and nonce
- AuditLog: governance/provenance entries (signed in production)
- Deterministic delta-reconciliation: deltas carry nonce and timestamp to enable replay.
- Adapters: two starter adapters (SIEM and EDR) with TLS mutual authentication flavor.
Data Contracts (Seed)
- LocalIRTask: { id, service, detection_rules }
- SharedTelemetry: { signals: { key: value }, budget, timestamp }
- PlanDelta: { delta_id, parent_id, timestamp, nonce, changes }
- RegistryEntry: { adapter_id, contract_version, data_contract, timestamp }
- AuditLogEntry: { entry_id, event, detail, signature }
Phase 0 (Weeks 1-2): Protocol skeleton
- Implement a minimal transport layer (TLS-like) and a simple protocol to exchange LocalIRTask and PlanDelta.
- Wire two adapters: SIEMAdapter (ingest telemetry) and EDRAdapter (trigger containment actions).
- Implement DeltaSyncEngine to apply PlanDelta to an in-memory state and enable deterministic replay.
Phase 1 (Weeks 3-5): Governance and identity
- GoCRegistry: register adapter metadata.
- PrivacyBudget: per-signal budgets to demonstrate privacy-preserving telemetry.
- GovernanceLedger: append-only log with simple signing placeholder.
Phase 2 (Weeks 6-8): Cross-domain pilot
- Simulated cross-domain environment with offline-first mode: adapters communicate locally and reconcile when connected.
- Reference SDK and adapter templates to enable rapid onboarding of new adapters.
Phase 3 (Weeks 9-12): Auditability & dashboards
- Demo dashboards showing delta fidelity, replay fidelity, and containment latency.
- Harden governance proofs and privacy budgets; integrate with PortaLedger-like proofs if possible.
Notes
- This MVP intentionally uses toy cryptography placeholders and in-memory stores for clarity. Replace with production-grade crypto and persistent storage in later phases.
Reference in New Issue View Git Blame Copy Permalink