KAP (Kernel Assurance Plane): tested at the kernel level
We built a KAP test scenario and ran it where it matters: the syscall boundary. The setup models the classic aggregate attack, a task that looks like “refactor the config” decomposing into fork → execve(curl) → connect(external) → send(config). Every syscall is individually legal. The aggregate is exfiltration.
KAP held the invariant: an operation runs only if it’s derivable from committed lineage and never exceeds the authority running it. The exfil chain got stopped at the point authority drifted past what the task committed to, not after the data left. Next: measuring enforcement overhead so legal syscalls in between don’t pay a tax.
PAP (Purpose Assurance Plane): same approach, plan layer
Now running the equivalent scenario one layer up, at plan construction. The test models “summarize customer churn” expanding into “query DB, export, external API,” each step locally valid, the aggregate a leak.
PAP filters the plan before it reaches execution: authority-expanding refinements (new tool, weakened constraint) get caught while the legitimate ones pass clean. We’re watching the Cone of Intent narrow correctly and tuning where it over-rejects.
ArmorTools: console build in progress
We’re heads-down on ArmorTools, the unified console for the stack. Claude Code, Codex, OpenClaw, Copilot, every agent in one place, with total events, violations, allow rates, critical findings, heatmaps, and a live feed across ArmorClaude, ArmorCodex, ArmorCopilot, and ArmorClaw. Coming together now.
