Five objects, two locks, one rule about evidence. This is the mental model — the design docs carry the detail.
The object model
Kubernetes CRDs, API group scrutineer.sh/v1alpha1:
AgentSession— one governed run: the agent image, the task, references to policy and profile. All runtime evidence lands in itsstatus.AgentPolicy— the rules, plus the mode:enforced(violations blocked) oraudit-only(recorded asdry-run, nothing blocked).RuntimeProfile— how the workload runs: container hardening and which enforcement backends are on.ApprovalPolicy/ApprovalRequest— scoped human approvals for actions that need a person in the loop.
Bring your own agent
The container image is the agent — reasoning loop, model calls, tools. Scrutineer schedules it and governs what it can reach; nothing in the image needs to cooperate. The demo agent is plain busybox.
The two locks
Enforcement and credentials both live outside the agent’s trust domain:
Routing lock. A default-deny egress NetworkPolicy makes the per-session Envoy
proxy the agent’s only network path. The HTTP_PROXY env is a convenience; the
kernel-level deny is the control. Raw sockets and direct DNS die at the CNI.
Capability lock. The agent pod is credential-empty. Secrets that authorize governed actions live outside its reach — a compromised agent has nothing to exfiltrate that would let it act ungoverned.
Verified or refused
The routing lock is only real if the CNI enforces NetworkPolicy — some don’t.
Scrutineer proves it with a canary probe instead of assuming it. Fail the probe and
enforced sessions are refused with a loud EgressLockVerified=False condition.
Nothing silently degrades to advisory.
Evidence assurance
Every decision in status.policyDecisions carries a provenance label:
observed— reported by the egress-reporter in the proxy pod, authenticated as that pod’s own identity (token review + ownership checks).self-reported— anything from inside the agent’s trust domain.
The label is derived from the caller’s authenticated identity, never from the
payload — a report can claim observed, and the server overwrites the claim with
what the caller’s token proves. The doctrine throughout: a control is either
untamperable, or it is labeled for what it is.