Start with scenario labs and secure baseline. Use this page to sign off a POC or challenge marketing claims.
Trust
Evaluation & coverage
Run the POC scorecard, then use the matrix for vector-by-vector honesty.
POC scorecard
POC scorecard
~30–40 min with baseline applied. Check each row before production claims.
| # | Action | Pass criteria |
|---|---|---|
| 1 | Install TURI + approve ES/NE extensions | macfirewall_security_events.jsonl receives AUTH events within 5 min |
| 2 | Apply /docs/secure-baseline policy fragment | jq shows enforce + supply_chain_install_gate_enabled: true |
| 3 | Run Lab 1 — npm postinstall chain (mf test-intercept)→ lab on scenarios | grep shows transitive_package_execution; baseline adds block/intercept |
| 4 | Run Lab 2 — secret read → egress simulation→ lab on scenarios | fileOpen + behavioral chain; baseline shows fileOpenBlocked or NE drop |
| 5 | Run Lab 3 — ungoverned runner from IDE→ lab on scenarios | execBlocked on raw node under enforce; mf wrap path allows with lineage |
| 6 | Run Lab 4 — MCP tool reads secrets then phones home→ lab on scenarios | Behavioral alert on read→connect chain; baseline shows fileOpenBlocked or NE drop + quarantine |
| 7 | Run Lab 5 — prompt injection triggers local file modification→ lab on scenarios | execBlocked or fileWriteBlocked under enforce; agent_self_modification rule fire in monitor |
| 8 | Review /docs/evaluation matrix for remaining gaps | POC owner signs off on supply-chain async vs sync limits |
Runtime firewall vs attack vectors
partial
Supply chain (postinstall RAT)
Claim: Critical / High — block package manager → system scripting
TodayAlerts on suspicious postinstall chains; sync gate available but off by default
HardenedSync gate on + promoted block rules + propagated install contracts
strong
Credential & identity theft
Claim: High — file access governance
TodayFile access governance on AI-initiated processes; sensitive path enforcement
HardenedEnforce mode + workspace allowlist policy
partial
Data exfiltration
Claim: High — read mapped to egress
TodayCausal graph links credential access to network egress; behavioral network gating
HardenedDefault-deny egress + lower behavioral threshold
partial
Infrastructure / local SSRF
Claim: Moderate — loopback isolation
TodayBlocks private/loopback egress during install; MCP metadata service protection
HardenedExpanded intent-based egress rules beyond install context
N/A
Vulnerable code generation
Claim: Low — execution guard only
TodayNo runtime signal for insecure generated source code
Hardenedn/a — use SAST upstream
Known gaps (default policy)
transitive_package_executionandpolyglot_execution_pivotare alert-only by default.- Vanilla
npm installdoes not mint semantic install contracts withoutmf wrap/ capability tokens. - Supply-chain install gate defaults to off.
- Behavioral ingest is async — not always preemptive AUTH deny.
- LiteLLM-style
exec(base64…)vsbase64 -d |— see ungoverned runner scenario. - K8s / in-cluster preemptive kill — out of scope; see non-coverage note.
How to harden
Secure baseline + scenario labs. Design partner tuning for false positives: Partners.