tooling
IMPLEMENTATION GUIDE
Editor integration, implementation workflow, and operational runbooks.
Context Rail
Tags and Themes
On This Page
Security Implementation Guide (Current + Next Steps)
This guide explains what to implement next without repeating already completed migrations.
1. Current baseline assumptions
Already available in codebase:
- Signature verification path in runner.
- Policy layer and protection profiles.
- Anti-debug and sandbox staged checks.
- Anti-tamper probe framework and Windows process-protection probes.
- VM integrity probes and telemetry export.
2. Phase A: Documentation and observability hardening
- Keep all security docs aligned to LLD source-of-truth docs.
- Add test coverage for probe gate combinations.
- Add runbook examples for common policy/env combinations.
Suggested files:
security/antitamper_probe_test.gorunner/runner_test.go- docs updates (already ongoing)
3. Phase B: Process-protection depth expansion
Current status:
- Remote process scan manager integration is implemented.
- Normalized signal schema, weighted correlator, and risk bands are implemented.
- Runner observe/enforce policy wiring is implemented.
Next steps:
- Implement windows scanner inspectors (modules/memory/thread/hook signals).
- Calibrate weights and thresholds using false-positive datasets.
- Add evidence-rich integration tests for platform-specific scanners.
Suggested file plan:
security/processscan_windows.gosecurity/processscan_windows_stub.gosecurity/processscan_manager_test.gosecurity/processscan_correlator_test.gorunner/runner_test.go
Design reference:
4. Phase C: Polymorphic completion
- Enable safe transform stages incrementally.
- Add strict semantic-equivalence tests.
- Add reproducibility tests by seed.
- Keep fast rollback path if compatibility risk appears.
Suggested files:
compiler/polymorphic.gocompiler/polymorphic_test.gocompiler/opcode_mapping_test.go
Design reference:
5. Phase D: Memory hardening integration clarity
- Define wrapper-usage strategy and policy gate.
- Benchmark wrapper path versus current VM object path.
- Keep default path performance-safe.
Suggested files:
vm/vm.goobject/secure_memory.gomutil/util.go
6. Verification checklist
- No doc claims unsupported CLI flags.
- Probe gate semantics remain explicit everywhere.
- Runner and builtin probe scope differences are documented.
- Partial features are marked partial, not complete.
- Tests cover mode/profile/env combinations.