bolyai/CIS490
3
0
Fork 0
Code Issues 5 Pull requests Projects 1 Releases Packages Wiki Activity Actions
CIS490/PIPELINE.md
Max Gorog bfb1c491f8 PIPELINE.md is canonical; rewrite AGENTS.md; delete FIXYOURSELF.md 
PIPELINE.md is the canonical plan for the data-collection / emulation
/ labelling pipeline. It supersedes any guidance in AGENTS.md,
README.md, or other repo docs that contradicts it (§17). Future
sessions read it before changing anything in the pipeline.

AGENTS.md is rewritten to point at PIPELINE.md as canonical and to
strip the prescriptive symptom→fix table that absorbed producer-side
defects instead of fixing them (§7.1 compensating-layer pattern).

FIXYOURSELF.md is deleted (§4.12, §7.10 recovery-layer pattern). The
states it covered are made impossible by the §4.6 acceptance gate
landing later in §5; recovering from a state that shouldn't exist is
itself the bandaid we're removing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-03 17:04:43 -05:00

38 KiB
Raw Permalink Blame History

PIPELINE.md — the CIS490 generative pipeline honesty plan

This document is canonical. It supersedes any guidance in AGENTS.md, FIXYOURSELF.md, README.md, or other repo docs that contradicts it. If another doc says something different, this doc wins and the other doc is wrong (file an issue or fix it).

This is not an architecture overview. This is a fix list. Read it, implement it, do not split it into phases.

Before proposing any change to the pipeline, re-read §1, §7, and §8 and run your proposal against §8's checklist. Then proceed.

1. Principle

Every episode that reaches the dataset must be ground-truth. Every host runs the same experiment with the same configured catalog. Every exploit module and every collector in the catalog has been proven to work end-to-end before it is eligible to run. There are no compensating layers — no auto-update timers that drag stale peers forward, no "fix-yourself" decision trees, no per-host divergence absorbed by trainer-side filters, no labels written by clock when the event they describe didn't happen.

If a host can't meet the bar, it produces zero episodes and says so loudly. A small honest dataset beats a large dishonest one.

Default to removal, not addition. If a problem can be fixed by deleting code or removing a layer, prefer that. Adding a layer is the suspect default and should be justified against §7 and §8 before proceeding.

2. What the experiments are for

CIS490 trains a behavioral malware-detection model. The dataset is the ground-truth labelled record of what the host looked like during known-clean, known-armed, known-infecting, and known-infected phases of a real exploit chain against a real target service. The model learns to distinguish those phases from in-deployment behavior. Every dishonest label is a poisoned training example.

This is why the producer's job is not "ship lots of episodes." It is "ship episodes whose labels are true."

3. What is currently broken (evidence)

Numbers from the 200-episode quality probe on 2026-05-03:

  1. Labels lie. 0 of 67 Tier-3 exploit fires resulted in a session_open event. All 67 logged session_open_timeout. Yet every one of those 67 episodes is labelled phase=infected_running because the schedule-driven labeller transitions on a clock, not on observed events. The infected_running label in the dataset means "the schedule said so," not "an attacker session was actually open on this host."
  2. Collectors are silent.
    • perf produces 0 rows on 100% of episodes on both hosts.
    • guest-agent produces 0 rows on 100% of episodes on both hosts.
    • qmp, netflow, and pcap produce 0 rows on 100% of k-gamingcom episodes (different config from elliott).
    • The host tcpdump is missing on k-gamingcom; pcap_unavailable is logged then ignored.
  3. The catalog is unverified. Modules are added to the rotation without a per-module verification that the module actually lands a session against its declared target. samba_usermap_script has a 100% failure rate against the configured Metasploitable2 target and was still in the rotation.
  4. Hosts run divergent experiments. elliott and k-gamingcom have different per-host manifests, different collector coverage, different qemu invocations. The dataset is a union of two different experiments, not 200 samples from one.
  5. Working trees are dirty. 200/200 episodes report dirty=true, so code_version.commit is unverifiable provenance.

Each of these is a failure of the producer. Receiver-side filtering and trainer-side prune scripts are bandaids that hide them.

4. The fix — line items

Every item below must land. They are not phases. They are parts of one cohesive correctness story; any of them missing leaves the pipeline half-honest. Each item names its acceptance test.

4.1 Canonical manifest

There is exactly one manifest, version-pinned in the repo at manifest.toml. Every lab host loads the same manifest. There is no per-host manifest override, no per-host collector enable/disable flag, no per-host qemu argument list. Hosts that cannot run the canonical manifest exit 78 at orchestrator startup.

Acceptance: find . -name manifest.toml -not -path './.git/*' returns exactly one path. There is no --manifest CLI flag on the orchestrator that takes a different path; the path is hard-coded. Removing this line item would re-create the host divergence we just exited.

4.2 Target VMs we build, not VMs we fetch

Every target VM image is built from a declarative spec checked into the repo (Packer, mkosi, debootstrap, whatever — declarative). The image build produces a sha256-pinned artifact. The build script verifies, before producing the artifact, that:

  • The vulnerable service is up after first boot.
  • The service is on the port the module catalog declares.
  • The service version matches the version the module catalog declares.

Metasploitable2 from a SourceForge mirror is removed. We don't ship episodes targeting black-box images.

Acceptance: scripts/build-target-<name>.sh exists for every target referenced by an exploit module. Running it produces an image whose post-boot state passes the spec's verification step. The verification step's exit code gates the build's exit code.

4.3 Module catalog admission criteria

A module is in the catalog only if it passes a recorded end-to-end verification run against its declared target. The verification is:

  1. Boot the target snapshot.
  2. Fire the module via msfrpcd.
  3. Observe a session_open event (not session_open_timeout).
  4. Observe at least one shell command round-trip on the session.
  5. Confirm guest-side artifact (file written, process spawned — per-module).

If any step fails, the module does not enter the catalog. There is no "tentatively included" tier. Modules already in the catalog are re-verified by scripts/verify-catalog.sh (new) on every release; failures remove the module from the catalog.

Acceptance: every entry in exploits/modules/*.toml has a companion verified_against = "<target_name>" and last_verified = "<commit_sha>" field. scripts/verify-catalog.sh re-runs every entry and exits 0 only if every one passes.

4.4 Collector admission criteria

A collector is in the active set only if it passes a recorded end-to-end verification run that confirms it emits non-zero rows against a known-busy probe workload.

For each of the six collectors (proc, qmp, netflow, perf, guest, pcap):

  1. Diagnose the current zero-row failure (read the code, run standalone, find the actual cause). Fix the cause.
  2. Add a unit-or-integration test that runs the collector for N seconds against a synthesized workload (a busy-loop process for proc/perf, a packet generator for netflow/pcap, a QMP blockstats query for qmp, a guest heartbeat for guest) and asserts ≥1 row.
  3. The test must run in CI and on every install via the install script.

A collector that cannot pass admission is removed from the active set with a recorded reason — not silently included with zero rows.

Acceptance: pytest tests/test_collectors_emit.py -k <name> passes for each name. The CI run gates merges.

4.5 Event-driven labelling

Phase labels are written from observed events, never from the schedule clock. The schedule becomes a time budget — maximum time the orchestrator will wait in each phase — not a label source.

Specifically:

  • clean is written at episode start.
  • armed is written when the orchestrator instructs the driver to fire (this is observable in code).
  • infecting is written when the exploit_fire event is observed.
  • infected_running is written only when the session_open event is observed.
  • If session_open_timeout is observed instead, the episode terminates with a failed label and is rejected (see §4.6).
  • dormant and subsequent infected_running transitions are written from observed in-session idle / activity, not from clock.

Per-module timeouts replace the global 30s timeout. Default 120s, configurable per module in exploits/modules/*.toml.

Acceptance: for every shipped episode, every entry in labels.jsonl has a corresponding event in events.jsonl with a matching t_mono_ns within ±100ms. An invariant test asserts this.

4.6 Episode acceptance gate at finalization

Before sealing meta and writing done.marker, the orchestrator verifies:

  • Every collector in the active set produced ≥1 row.
  • Every label has a matching event (§4.5 invariant).
  • For Tier-3 episodes: a session_open event exists.
  • dirty=true is absent OR dirty_override=true is present (see §4.9).

If any check fails, the episode goes to data/rejected/<id>/ with a rejected_reason.json describing which check failed. done.marker is not written. The shipper never sees it.

Acceptance: tests/test_acceptance_gate.py covers each rejection condition. A passing test asserts a clean episode is accepted; for each failure mode, the test asserts the episode is moved to rejected/ with the expected reason.

4.7 Producer preflight

orchestrator/preflight.py runs at orchestrator startup. One bar (no light/deep split). Checks:

  • Every binary required by the active collector set + active module catalog is on PATH.
  • /dev/kvm accessible by the service user.
  • kernel.perf_event_paranoid <= 2.
  • cfg.bridge_iface exists; tcpdump can capture on it.
  • msfrpcd reachable; auth.login returns a token.
  • For every module in catalog: module.info is fetchable.
  • For every sample in catalog: file present on disk; sha256 matches.
  • Probe-boot baseline-v1 snapshot; observe guest-agent heartbeat within N seconds.
  • git status --porcelain empty (or CIS490_ALLOW_DIRTY=1).
  • HEAD is on a commit currently in origin/main.

Failures are collected (every failed check logged with diagnosis + remediation), then sys.exit(78).

Acceptance: tests/test_preflight.py covers each check individually with mocked subprocess/filesystem. python -m orchestrator.preflight runs the checks and prints a structured report. Exit codes: 0 ok, 78 sysadmin error.

4.8 Receiver-side rejection (defense in depth)

The receiver is defense-in-depth, NOT the primary correctness mechanism. The producer is. Receiver rejection exists to catch peers running stale or broken code; it is never a substitute for fixing the producer. A change that strengthens receiver rejection without strengthening the producer is the defensive-instead-of- corrective pattern (§7.9).

The receiver enforces the same correctness invariants the orchestrator does. A peer running stale code that produces dishonest episodes still gets rejected at ingest:

  • Reject any meta with dirty=true and no dirty_override=true.
  • Reject any meta where phases_observed contains infected_running but events.jsonl (extracted from the tarball) lacks session_open.
  • Reject any meta where any configured-collector row count is zero.
  • Existing commit-allow-list gate continues.

Rejections return 422 with a JSON body naming the failed check. Rejected tarballs are not written to the index.

Acceptance: tests/test_receiver_rejects.py covers each new rejection condition.

4.9 Override discipline

The only escape hatch from the dirty-tree gate is the CIS490_ALLOW_DIRTY=1 environment variable. When set:

  • Orchestrator logs WARN: dirty tree override active.
  • meta.json gains dirty_override: true.
  • Receiver accepts the episode only if dirty_override is also true.
  • Every override use is auditable from the dataset.

There are no other override knobs. No verify_tls=false, no "skip preflight," no "include this collector even if it emits zero rows."

4.10 Regression-test discipline

Every fix in this plan lands with a test that would have caught the regression at PR time. Tests are not a follow-up. A PR that fixes the perf collector without a perf-emit test is incomplete and gets sent back.

CI runs:

  • All unit tests.
  • scripts/verify-catalog.sh against a smoke target subset (catalog verification full run is gated to release commits — too expensive for every PR).
  • The collector-emit integration tests (§4.4) on real binaries.

4.11 systemd integration

  • cis490-orchestrator.service adds RestartPreventExitStatus=78. A preflight failure stays loud and stuck instead of cycling restarts.
  • On preflight failure, orchestrator writes /var/lib/cis490/preflight.failed.json with the failed checks + timestamps. Doctor surfaces this in its next report. The fleet-health alert distinguishes "preflight failed" from "host silent."

4.12 Cleanup of compensating layers

The following are deleted as part of this change. Their existence was load-bearing for the dishonest pipeline; the honest one doesn't need them.

  • FIXYOURSELF.md — entire file deleted. Stuck states no longer exist as a class because the gates make them impossible.
  • cis490-autoupdate.timer + scripts/auto-update.sh — deleted. Hosts run pinned commits. New code is rolled out by the operator, not auto-pulled.
  • cis490-cert-fetch.timer — replaced by a one-shot first-boot fetch in install-lab-host.sh. No periodic re-fetch.
  • tools/quarantine_unstamped.py — deleted. Pre-stamp episodes cannot exist because no episode is written without a valid stamp.
  • tools/check_fleet_health.py — keep, but delete the "fatal-only" alert branch (that branch existed because we were shipping fatals; with the gate, we don't).
  • tools/prune_episodes.py's "kept episode despite flat /proc because qmp showed write" cross-check logic — deleted. Episodes that don't pass the producer-side gate don't reach the trainer.
  • AGENTS.md "symptom→fix table" — deleted (the symptoms it covers are now impossible).
  • AGENTS.md "Hosts self-update" section — deleted.

4.13 Containment bar

Real malware execution requires explicit containment. Target VMs exist in an isolation context that is part of the canonical experiment, not a deployment detail. A future change that weakens any of the items below is a containment regression and is rejected regardless of what experimental realism it claims to add.

For every target VM in the catalog (§4.2):

  • Network: target attaches to a bridge with NO upstream egress. No NAT to the host network, no internet route, no DNS resolution beyond what the experiment provides. Outbound C2 callbacks resolve to a sinkhole inside the experiment, never to the internet.
  • Filesystem: no shared mount with the host. No 9p, no virtio-fs with host paths. The target's disk is the snapshot it was booted from, period.
  • Privilege: QEMU runs as the unprivileged service user. KVM access is via group membership only; no setuid wrappers, no privileged TUN ownership transfer, no passthrough of host devices not explicitly required by the catalog.
  • Lifetime: every target boots from a fresh snapshot. State from one episode never crosses into the next. The snapshot is reverted at episode end, not "cleaned."
  • Escape monitoring: any QEMU exit that is not a clean shutdown is logged with full QMP state and the episode is marked failed. Two unclean exits on the same target image within a release window trigger admission-criteria re-verification (§4.3) for every module targeting that image.

Acceptance: tests/test_containment.py asserts each target build (a) has no upstream egress route from inside the guest, (b) has no host-shared filesystem mount, (c) runs QEMU as the unprivileged service user, (d) reverts to snapshot at episode end. The test runs in CI and on every install.

5. Build order

There is no half-honest intermediate state. The order below sequences the work; it does not phase the deployment. Everything lands to main in one merge.

  1. Fix the four root-cause defects:
    • Diagnose + fix the perf collector (read code, run standalone, find why it's silent, fix).
    • Diagnose + fix the guest-agent collector (mount baseline image, verify agent installed, fix build).
    • Diagnose + fix k-gamingcom's missing qmp/netflow/pcap (compare configs, eliminate divergence — §4.1).
    • Diagnose + fix samba_usermap_script against its target (manual msfconsole drive, find why the bind shell never connects, fix or remove from catalog — §4.3).
  2. Land the canonical manifest (§4.1).
  3. Land the target-VM build pipeline (§4.2) and containment tests (§4.13) together — target VMs are not in the catalog without containment.
  4. Land the catalog admission criteria + verifier (§4.3).
  5. Land the collector admission criteria + tests (§4.4).
  6. Land the event-driven labeller (§4.5).
  7. Land the acceptance gate (§4.6).
  8. Land the preflight (§4.7).
  9. Land the receiver-side rejection (§4.8).
  10. Land the override discipline + cleanup (§4.9, §4.12).
  11. Land systemd integration + alert distinguishing (§4.11).

After merge: lab hosts pull the new manifest, run preflight, fail loudly if they don't meet the bar, produce zero episodes until they do. The operator brings each host to bar — fixing one root cause at a time, loudly. The dataset goes quiet, then comes back honest.

6. Out of scope (and why)

  • Schedule jitter for label-leakage resistance. Real concern, but doesn't affect honesty — only generalization. Address after honest data is flowing.
  • New collectors (audit, ftrace, etc.). Adding collectors before the existing six are honest is putting more weight on a broken floor.
  • Trainer changes. This plan stops at the dataset boundary. The trainer no longer needs to filter dishonest episodes because they don't exist.
  • Multi-architecture targets. All target VMs are x86_64 for now.

Each of these is fine to defer because they don't paper over a correctness defect. They add value on top of an honest pipeline; the pipeline isn't honest yet.

7. Anti-patterns (named — match every proposal against this list)

Each pattern below is a shape a proposal can take that has been rejected as architectural sleight-of-hand. Match every proposal against this list before submitting it. A proposal that matches a named pattern is rejected; abandon it and propose a corrective fix instead.

The patterns are named so future sessions can recognize them in their own work. A bandaid with a nice name (preflight, acceptance gate, retry layer, fleet-health) is still a bandaid.

§7 is non-exhaustive. New sleight-of-hand patterns will exist that aren't named here. The §8 decision tests are the actual filter; a proposal that fails §8 is rejected even if it matches no named pattern. Do not read §7 as a closed taxonomy and conclude "my proposal isn't on the list, so it's fine." If §8 says no, the answer is no, regardless of whether a named match exists.

7.1 Compensating-layer pattern

Definition. Adding a layer (timer, watcher, retry, alert, recovery doc) that absorbs a failure mode upstream of itself instead of fixing the upstream cause.

Example from session 2026-05-02..03. cis490-autoupdate.timer to drag stale peers forward. The actual fix was the operator's deploy process; the timer existed because deployment was unreliable and we patched around the unreliability instead of fixing it.

Test. If I removed this layer right now, would the original problem reappear immediately? If yes, the layer is a compensating bandaid for an unfixed root cause.

What to do instead. Fix the upstream cause. If you cannot in this change, fail loudly (§9) and stop.

7.2 Phasing-as-deferral pattern

Definition. Splitting a correctness fix into "phase 1, phase 2," "light vs deep," or "land this now, the harder part later." Any sequencing that ships a half-honest intermediate state.

Example from session 2026-05-02..03. "Land preflight first, labeller refactor later." The intermediate state ships dishonest data because the labeller is still clock-driven.

Test. Does each intermediate merge ship dishonest data, or rely on a layer that won't exist yet? If yes, no phasing.

What to do instead. Reduce scope (drop a feature, narrow the active set) until the change is small enough to land in one merge. Do not defer the hard part.

7.3 Single-instance-fix pattern

Definition. Fixing one item from a class while leaving the other items as future work.

Example from session 2026-05-02..03. "I'll diagnose perf and samba in parallel" while guest-agent, qmp, netflow, and the rest of the module catalog stay broken.

Test. Is this a class of N items, of which I'm fixing < N? If yes, fix all or remove the unfixed from the active set.

What to do instead. Either fix every member of the class, or shrink the active catalog to just the verified members. Unverified members do not ship.

7.4 Per-host-divergence pattern

Definition. Accepting that two hosts behave differently as a working assumption.

Example from session 2026-05-02..03. "Which host should I investigate samba on, elliott or k-gamingcom?" — implying the answer matters because hosts are different.

Test. Given identical workloads on identical canonical-manifest hosts, would the produced episodes be identical? If no, the divergence is the bug.

What to do instead. Eliminate the divergence (one canonical manifest, one canonical target VM build, one canonical collector set — §4.1). If a host can't run the canonical experiment, it produces zero episodes.

7.5 Black-box-trust pattern

Definition. Treating an externally-built artifact as if it behaves correctly under our experiments without a verifiable spec for what it should do.

Example from session 2026-05-02..03. Metasploitable2 from a SourceForge mirror — we don't know what version of Samba is running, whether the service is up, or whether the image has been altered. We were shipping modules targeting it anyway.

Test. Do we have a verifiable spec for this artifact's behavior? If no, we don't trust it.

What to do instead. Build the artifact from a declarative spec we control (§4.2). If we can't, remove modules targeting it from the catalog.

7.6 Investigation-as-deferral pattern

Definition. Proposing investigation when a verifiable gate would suffice. The investigation itself becomes the deferred work.

Example from session 2026-05-02..03. "I need to diagnose why perf is silent before I can write the gate." A gate of the form "perf must produce ≥1 row" works without knowing the cause; it forces the diagnosis to happen as part of the fix.

Test. Can the gate be expressed as an assertion ("X must produce > 0 rows" / "X must observe Y event") without knowing the root cause? If yes, write the gate first.

What to do instead. Write the strictest possible gate first. The investigation is the work of making the gate pass.

7.7 Speculation-as-evidence pattern

Definition. Asserting a claim as fact without measurement.

Example from session 2026-05-02..03. "30s vs 120s won't change this — if the exploit were almost working, we'd see occasional opens." No data was gathered; the claim was projected.

Test. Do I have a measurement that supports this claim? If no, I am speculating.

What to do instead. Say "I don't know yet." Either gather data or design the fix to be correct under both possibilities.

7.8 Out-of-scope-for-correctness pattern

Definition. Naming a correctness-affecting item as "out of scope" to avoid the harder problem.

Example from session 2026-05-02..03. "Manifest canonicalization is out of scope, flagged as known issue." Per-host config divergence is the source of half the data quality problems; excluding it from scope was a deferral.

Test. Does excluding this item leave the system half-honest? If yes, it is in scope.

What to do instead. Reduce other scope (drop a feature, narrow the active set) to fit. Correctness items cannot be deferred.

7.9 Defensive-instead-of-corrective pattern

Definition. Building rejection logic at the consumer instead of fixing the producer that produces the rejected output.

Example from session 2026-05-02..03. Receiver-side rejection of dishonest episodes without fixing why the producer produces them. Defense-in-depth (both ends gated) is good; defense-without- corrective (only consumer gated) is a bandaid.

Test. Does this fix make the dishonest behavior IMPOSSIBLE upstream, or only unobservable downstream? If only unobservable, the producer is still broken.

What to do instead. Fix the producer first. The consumer-side gate is defense-in-depth on top of a corrected producer, never a substitute.

7.10 Recovery-layer pattern

Definition. Building documentation, scripts, timers, or runbooks for "what to do when X is stuck." Applies anywhere in the pipeline — producer, receiver, trainer, dashboard, install scripts, on-device agents, anywhere a "recovery from a state that shouldn't exist" layer is contemplated. Producer-side is just the most common location.

Example from session 2026-05-02..03. FIXYOURSELF.md — a 250-line decision tree for recovering hosts whose auto-update timer couldn't fix them. The states it covered shouldn't have been possible if the producer were correct.

Test. Can the stuck state happen at all if the relevant component is correct? If no, delete the recovery layer and fix the component.

What to do instead. Make the stuck state impossible. If you can't, fail loudly (§9) and stop.

8. Decision tests before proposing a change

Before adding any code, doc, layer, or feature, answer all of the following. Any uncomfortable answer means stop and re-evaluate.

  1. Does this change make the dishonest behavior IMPOSSIBLE, or only less likely / less observable?
  2. Does this change scale to every instance of the problem class, or only one?
  3. If I removed this change, would the underlying problem return immediately?
  4. Am I adding a layer? If yes, can I instead remove the layer that allowed the failure?
  5. Does this proposal match any pattern in §7? If yes, abandon it and propose a corrective fix.
  6. Is the change complete in one merge? If not, why is the intermediate state honest?
  7. Am I doing this because it's correct, or because it's the easiest thing that looks like progress?

If you cannot answer all seven cleanly, stop. Ask the operator. Do not proceed.

9. What to do when blocked

When you cannot fix something cleanly in scope:

  • Fail loudly. Exit with a distinguishable code (e.g., 78). Write a structured failure record. Do not retry silently.
  • Stop. Do not continue producing output as if the failure didn't happen.
  • Ask the operator. Tell the user what's blocked, what you tried, and what you need to proceed.
  • Do not build a recovery layer. That is the recovery-layer pattern (§7.10).
  • Do not propose phased fixes. That is the phasing-as-deferral pattern (§7.2).
  • Do not narrow scope silently. If the active set must shrink to make the change tractable, name it explicitly and get sign-off.

The operator prefers a small honest system that fails loudly over a large half-broken one that limps. A loud failure is more useful than a silent bandaid.

10. Definitions of ground truth

For each collector, "real row" means the row was actually emitted by the underlying mechanism for this episode, not synthesized, defaulted, or carried over from a previous run.

Collector Ground truth means
proc Row read from /proc/<qemu_pid>/{stat,io,status} for the live qemu PID of this episode's target VM, while that PID is alive.
qmp Row obtained from a successful QMP query-status / query-blockstats round-trip on cfg.qmp_socket for this episode's qemu PID.
netflow Row computed from packet capture on cfg.bridge_iface for traffic involving this episode's target VM during the episode wall-clock window.
perf Row produced by perf (or equivalent) sampling this episode's qemu PID. Not from a previous run, not from a different PID.
guest Row received from the in-guest agent over the virtio-serial channel during the episode wall-clock window. The agent must be running in this episode's guest, not a stale one.
pcap Bytes captured from cfg.bridge_iface during the episode wall-clock window, written to network.pcap.

For each phase, "label justified" means the corresponding event was observed:

Phase Justified by
clean Episode start (orchestrator-emitted).
armed Orchestrator instructs the driver to fire (orchestrator-emitted).
infecting exploit_fire event observed in events.jsonl.
infected_running session_open event observed in events.jsonl. Not session_open_timeout, not schedule-clock.
dormant Observed in-session idle (no traffic / no command activity for N seconds).
failed session_open_timeout or other terminal driver failure. Episode is rejected (§4.6).

A row that doesn't meet the ground-truth bar is not a row. A label that isn't justified is not a label. The acceptance gate (§4.6) enforces both.

11. Honest reporting

When you (a future session) report status to the operator:

  • Distinguish merged from verified. "Code merged" is not "behavior verified in production." A passing test on a CI host is not the same as a working system on a lab host.
  • Distinguish proposed from implemented. "I proposed X" is not "X is in the repo."
  • Audit your cumulative pattern. At the end of a session, re-read your own changes against §7. It is possible to add three reasonable-looking layers in sequence that cumulatively form a compensating-layer pattern, even if no individual one looks like a bandaid.
  • Name compensating layers you've built. If §7 audit finds matches, name them and propose their removal.
  • Don't summarize cumulative changes as "fixes" without auditing. "I shipped 12 commits this session" is not the same as "the pipeline is honest now."
  • Verify before agreeing or refuting. When the operator says something is done that you can verify, verify it before agreeing. When they say something is broken that you can verify, verify it before refuting.

12. Glossary

Terms used throughout this document, pinned to one definition.

Term Definition
Canonical manifest The single, version-pinned manifest.toml at the repo root. Every host loads this exact file. There is no per-host override (§4.1).
Active set The collectors enabled in the canonical manifest for a given run. A collector is in the active set only if it has passed admission criteria (§4.4).
Catalog The set of exploit modules in exploits/modules/*.toml that have passed admission (§4.3). Modules not in the catalog do not run.
Ground truth A row or label is ground truth when it was emitted by the underlying mechanism for this episode, with the justifying event observed. See §10.
Episode boundary An episode begins when the orchestrator emits the first clean label and ends when done.marker is written or the episode is moved to rejected/. All collector rows must fall inside this wall-clock window.
Configured collector A collector listed as enabled in the canonical manifest. Distinct from "running collector" (the process actually started) and "active set" (the manifest-listed plus admission-passing intersection). For acceptance purposes, only the configured set matters.
Admission criteria The bar a module / collector / target / override knob must pass to be in the active pipeline. See §4.3, §4.4, §13.
Honest Of an episode: every label justified by an observed event, every configured collector emitted ≥1 ground-truth row, working tree was clean (or override-stamped), HEAD on origin/main. Of the pipeline: every accepted episode is honest.
Bandaid / compensating layer A layer that absorbs a failure mode upstream of itself instead of fixing the upstream cause. See §7.1.
Override A knob that loosens an admission criterion or gate. There is exactly one — CIS490_ALLOW_DIRTY (§14).
Operator The human maintainer with sign-off authority. Distinct from agents that propose changes. See §15.
Containment regression A change that weakens any of the §4.13 isolation requirements. Rejected regardless of claimed experimental value.

13. Admission scope (what triggers the bar)

Any change to the following is in admission scope and must pass §4 admission criteria + §15 operator sign-off:

  • Any module in exploits/modules/*.toml.
  • Any collector in the active set.
  • Any field of manifest.toml.
  • Any phase rule or label-emission code in the labeller.
  • Any gate in the producer or receiver.
  • Any schedule entry (phase budget, per-module timeout).
  • Any target VM build spec or its containment posture (§4.13).
  • Any override knob (the closed list in §14).

The following are NOT admission scope and can be changed without admission ceremony, but must still pass §8 decision tests:

  • Internal refactors that do not change observable behavior of any of the above.
  • Test code, fixtures, CI configuration.
  • Documentation that does not contradict §1.
  • Build/install scripts, insofar as they don't change what gets shipped or how it's labelled.

A future session that argues "this is just infrastructure" or "this is just tooling" to dodge admission scope: re-read this section. Anything that touches what gets shipped, how it's labelled, what runs on the host, the containment posture, or how the gate decides — is in scope. The "infrastructure / tooling" framing is a recurring sleight-of-hand vector and triggers automatic rejection.

14. Override knobs (closed list)

The complete list of override knobs in CIS490, version-pinned to this document:

Knob Effect Where audited
CIS490_ALLOW_DIRTY=1 (env var, orchestrator) Allows the orchestrator to start with a dirty git tree. Stamps dirty_override: true in every meta.json produced. Receiver accepts only with matching stamp. per-episode in meta.json

That is the entire list. Adding a knob to this list is itself an admission event (§13) requiring operator sign-off (§15) and an §8 review.

Knobs that have been considered and rejected (do not propose again without re-reading the rationale):

  • verify_tls=false — TLS verification is a correctness boundary; bypassing it is the defensive-instead-of-corrective pattern (§7.9).
  • skip_preflight=1 — preflight is the gate; bypassing it makes the gate non-functional.
  • experimental_collector=true — bypassing collector admission is the single-instance-fix pattern (§7.3) wearing a flag.
  • diagnostic_mode=true — generic bypass; in practice would be applied to hide failures, not investigate them.
  • dry_run for the producer — episodes that aren't shipped go to rejected/; no dry-run flag needed.

If a future session proposes a new override knob, the burden is on the proposal: pass §8, get operator sign-off, amend §14 in the same merge. "Add the knob now and amend §14 later" is the phasing-as-deferral pattern (§7.2) applied to documentation.

15. Sign-off discipline

Admission decisions are made by the operator, not by agents acting alone. Specifically:

  • Adding a module to the catalog requires operator sign-off. An agent runs scripts/verify-catalog.sh, presents the verification result, and the operator decides whether the module enters the catalog.
  • Adding a collector to the active set requires operator sign-off. Agent runs the emit-test, operator decides.
  • Promoting a target VM build requires operator sign-off after §4.2 verification and §4.13 containment tests pass.
  • Adding an override knob (§14) requires operator sign-off.
  • Amending PIPELINE.md requires operator sign-off (§16).

Removing anything from the catalog or active set does NOT require operator sign-off — the bar is asymmetric. Tightening is always permitted; loosening requires sign-off.

The operator is the human with maintainer credentials on the repository. Agents propose, run verification, and present results; the operator decides admission.

If an agent is acting in a non-interactive context (CI run, scheduled job) where no operator is available to sign off, the agent does not admit anything. It produces verification output and stops.

16. Amending PIPELINE.md

This document is not immutable, but it is the canonical statement of the bar. Amendments are governed by the same discipline as admission decisions:

  1. Any change to §1 (principle), §4 (fix items), §7 (anti-patterns), §8 (decision tests), §10 (ground truth), §13 (admission scope), §14 (override list), or §15 (sign-off) is a substantive amendment.
  2. Substantive amendments require operator sign-off (§15) and must pass §8 decision tests applied to the amendment itself.
  3. The amendment lands in the same merge as the code change it justifies. "Amend the doc later" is the phasing pattern (§7.2).
  4. Editorial changes (typos, formatting, link fixes, glossary wording) do not require sign-off but should be flagged in the commit message.

A future session that wants to add a feature or layer the document forbids: the path is to amend the document, not to work around it. "This isn't covered by PIPELINE.md, so I'll just do it" is the out-of-scope-for-correctness pattern (§7.8) applied to the meta-document. Anything that touches admission scope (§13) is covered even if not named explicitly.

If you find the document is wrong — internally inconsistent, contradicts observed reality, prescribes something impossible — file a Forgejo issue against the repo with the contradiction documented. Do not silently work around the doc.

17. What this plan supersedes

The following docs are deleted or rewritten as part of landing this plan:

Doc Action
FIXYOURSELF.md Deleted. Compensating-layer doc; the states it covers don't exist after §4.6.
AGENTS.md "symptom→fix table" Deleted. Bandaid-driven.
AGENTS.md "Hosts self-update" section Deleted. Hosts run pinned commits.
AGENTS.md "Tier 3+4 deploy zero-touch" claim Rewritten. Targets are built locally now, not auto-fetched.
AGENTS.md "trust the in-guest probe alone, cross-check host CPU" Deleted. The producer-side gate makes this fictional cross-check unnecessary.
TIER3-BRINGUP.md Kept as historical record — labelled bug report, not current guidance.
README.md Tier-3+4 narrative Reviewed and aligned.

If you are a future session reading this and find another doc that contradicts §1§6 of this file: this file is right and the other doc is wrong. Fix the other doc.