TURIThe AI agent firewall for macOS — runtime execution governance at the endpoint.MacFirewallInternal engineering codename — app, extensions, Swift packages. Customer-facing name is TURI.DriftCopInternal name for the policy JSON format and supply-chain broker semantics.Endpoint Security extensionSandboxed ES client — AUTH path (not a custom KEXT).enforcement_modePolicy key: monitor (log) vs enforce (drop/deny).Observation modeApp toggle isObservationModeSync — workflow simulate.ExecGovernorPrimary AUTH_EXEC evaluator from threat matrix + ancestry.DECIDESupply-chain install gate reading local verdict cache.VerdictCachemmap macfirewall_verdicts.bin — async scores to sync ES.decision_hashSHA-256 audit digest for SIEM replay of install/exec decisions.CompiledIRPolicyGraph IR evaluated by IRExecutionEngine.RuleEvaluatorFSM step-rule engine over AgentEvent streams.BehavioralVelocityEngineHost-app actor: ingests AgentEvents, runs rules, flushes VerdictCache.CausalGraphIn-process DAG linking exec, file, network, and semantic install nodes.Graph invariantStructural rule (e.g. orphanExecution) evaluated on the DAG, not a verb sequence.