<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/">
  <channel>
    <title>Concepts on Scrutineer</title>
    <link>http://scrutineer.sh/docs/concepts/</link>
    <description>Recent content in Concepts on Scrutineer</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 07 Jul 2026 00:00:00 -0700</lastBuildDate>
    <atom:link href="http://scrutineer.sh/docs/concepts/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Core concepts</title>
      <link>http://scrutineer.sh/docs/concepts/core-concepts/</link>
      <pubDate>Tue, 07 Jul 2026 00:00:00 -0700</pubDate>
      <guid>http://scrutineer.sh/docs/concepts/core-concepts/</guid>
      <description>Sessions, policies, profiles, the two locks, and evidence assurance.</description>
      <content:encoded><![CDATA[<p>Five objects, two locks, one rule about evidence. This is the mental model — the
<a href="https://github.com/grantbarry29/scrutineer/tree/main/docs/design">design docs</a> carry
the detail.</p>
<details class="docs-details" id="the-object-model">
  <summary>The object model</summary>
  <div class="docs-details-body">
    <p>Kubernetes CRDs, API group <code>scrutineer.sh/v1alpha1</code>:</p>
<ul>
<li><strong><code>AgentSession</code></strong> — one governed run: the agent image, the task, references to
policy and profile. All runtime evidence lands in its <code>status</code>.</li>
<li><strong><code>AgentPolicy</code></strong> — the rules, plus the <strong>mode</strong>: <code>enforced</code> (violations blocked) or
<code>audit-only</code> (recorded as <code>dry-run</code>, nothing blocked).</li>
<li><strong><code>RuntimeProfile</code></strong> — how the workload runs: container hardening and which
enforcement backends are on.</li>
<li><strong><code>ApprovalPolicy</code> / <code>ApprovalRequest</code></strong> — scoped human approvals for actions that
need a person in the loop.</li>
</ul>

  </div>
</details>

<details class="docs-details" id="bring-your-own-agent">
  <summary>Bring your own agent</summary>
  <div class="docs-details-body">
    <p>The container image <em>is</em> the agent — reasoning loop, model calls, tools. Scrutineer
schedules it and governs what it can reach; nothing in the image needs to cooperate.
The demo agent is plain busybox.</p>

  </div>
</details>

<details class="docs-details" id="the-two-locks">
  <summary>The two locks</summary>
  <div class="docs-details-body">
    <p>Enforcement and credentials both live outside the agent&rsquo;s trust domain:</p>
<p><strong>Routing lock.</strong> A default-deny egress NetworkPolicy makes the per-session Envoy
proxy the agent&rsquo;s <em>only</em> network path. The <code>HTTP_PROXY</code> env is a convenience; the
kernel-level deny is the control. Raw sockets and direct DNS die at the CNI.</p>
<p><strong>Capability lock.</strong> The agent pod is credential-empty. Secrets that authorize
governed actions live outside its reach — a compromised agent has nothing to
exfiltrate that would let it act ungoverned.</p>

  </div>
</details>

<details class="docs-details" id="verified-or-refused">
  <summary>Verified or refused</summary>
  <div class="docs-details-body">
    <p>The routing lock is only real if the CNI enforces NetworkPolicy — some don&rsquo;t.
Scrutineer proves it with a canary probe instead of assuming it. Fail the probe and
enforced sessions are <strong>refused</strong> with a loud <code>EgressLockVerified=False</code> condition.
Nothing silently degrades to advisory.</p>

  </div>
</details>

<details class="docs-details" id="evidence-assurance">
  <summary>Evidence assurance</summary>
  <div class="docs-details-body">
    <p>Every decision in <code>status.policyDecisions</code> carries a provenance label:</p>
<ul>
<li><strong><code>observed</code></strong> — reported by the egress-reporter in the proxy pod, authenticated as
<em>that pod&rsquo;s own identity</em> (token review + ownership checks).</li>
<li><strong><code>self-reported</code></strong> — anything from inside the agent&rsquo;s trust domain.</li>
</ul>
<p>The label is derived from the caller&rsquo;s authenticated identity, never from the
payload — a report can <em>claim</em> <code>observed</code>, and the server overwrites the claim with
what the caller&rsquo;s token proves. The doctrine throughout: a control is either
untamperable, or it is labeled for what it is.</p>

  </div>
</details>

]]></content:encoded>
    </item>
  </channel>
</rss>
