docs: pre-release hygiene pass — remove aspirational + paid-tier-leaking docs#179
Merged
Conversation
…or/API/CLI) DaemonEye has not shipped a v1.0.0 release yet, so the user-facing installation, deployment, operator, configuration, API reference, and CLI reference docs in docs/src/ describe features users cannot actually use. Equivalent content is preserved in Confluence space ES (Installation 1802370, Docker 1802371, Kubernetes 1802372, Configuration 1802373/1802375, Core API 1802366, CLI 1802368, plus archived ProcMonD-era operator content) per the open-core hygiene workflow's verify-before-delete rule. Removed: - docs/src/deployment.md and the deployment/ directory - docs/src/user-guides.md and the user-guides/ directory - docs/src/api-reference.md and the api-reference/ directory - docs/src/cli-reference.md (orphaned — never linked from SUMMARY.md) Updated: - docs/src/SUMMARY.md — drop deleted-doc TOC entries - docs/src/introduction.md — trim Documentation Structure / Quick Links / Getting Help sections; replace "Multi-tier Architecture" feature bullet with explicit Community-tier-only boundary acknowledgement - docs/src/getting-started.md — replace Next Steps links to deleted operator/configuration/deployment docs with pointers to surviving architecture/technical/security/contributing sections - docs/src/project-overview.md — fix Next Steps links and add v1.0.0 publication note for operator/configuration guides Local docs/book/pricing.html (orphan mdbook artifact, gitignored) was also removed locally; not part of this commit. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Steering docs are auto-loaded into agent context, so paid-tier feature
enumerations there are direct violations of the open-core hygiene rule
in AGENTS.md. Equivalent commercial-tier content is preserved in
Confluence space ES (Feature Tiers 1802352, Business Tier 1802362,
Enterprise Tier 1802363, Architecture Overview 1802349).
Removed:
- .kiro/steering/product.md — pure paid-tier product overview
(Free/Business/Enterprise tier tables); superseded by Confluence
PRD 11599874 and the Project Overview pages
- spec/structure.md — older duplicate of .kiro/steering/structure.md
- spec/tech.md — older duplicate of .kiro/steering/tech.md
Edited:
- .kiro/steering/structure.md
* Removed phantom security-center/ and project_spec/ entries from
workspace tree
* Replaced Free/Business/Enterprise "Deployment Tiers" enumeration
with a single boundary-acknowledgement footnote
* Removed the security-center/ component subsection
* Replaced it with collector-core/ and daemoneye-eventbus/ subsections
that actually exist in this repo
* Dropped Business/Enterprise Tables subsection from Database Schema
Design and the federated-storage / kernel-event bullets from Access
Patterns
- .kiro/steering/tech.md
* Trimmed Phase 3 ("kernel-level real-time monitoring (Enterprise tier)")
from the Process Enumeration phasing list
* Removed the Kernel Monitoring (Enterprise Tier) subsection
* Removed the Enterprise Security Features subsection
* Added a single boundary footnote for kernel-level monitoring
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
The "Advanced Security Features (Enterprise Tier)" subsection in SECURITY.md enumerated paid-tier features (mTLS for fleet aggregation, SLSA Level 3, Cosign) inside an OSS-repo policy doc. Per the open-core hygiene workflow, that's a violation — the OSS repo should not enumerate paid-tier specifics. Reframed the section as "Planned Hardening (Community Tier)" containing only items that are actually planned for the OSS Community tier: Merkle inclusion proofs (in progress), Cosign signatures, sandboxed execution, query whitelist. Added a single boundary footnote acknowledging that fleet-level mTLS between host agents and upstream aggregators belongs to commercial tiers, not this repo. The canonical security overview lives in Confluence pages 1802346 / 1802364 (DaemonEye Security Design Overview). Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
…ty_design_overview
Phase 7 of the open-core hygiene workflow — file-level deletion and
top-level scrubs miss inline pollution. Remaining hits in OSS user-
facing docs were tier-mapped Organizational Context lines and
Cross-Platform Support entries that put "(Enterprise tier)" labels
on kernel-collector capabilities the OSS repo does not provide.
Edited:
- docs/src/project-overview.md
* Replaced the four-line tier-mapped Organizational Context table
(Small Teams=Core, Consultancies=Business, Enterprises=Enterprise,
Government/Military=airgapped) with a single boundary-acknowledgement
paragraph describing which deployments this repo serves directly
and which are commercial-tier responsibilities
* Reframed Cross-Platform Support entries to describe the actual
sysinfo-based collection that the OSS Community tier delivers,
moving eBPF / ETW / EndpointSecurity to a single boundary footnote
- docs/src/technical/security_design_overview.md
* SC-36 (Distributed Processing and Storage) — replaced the
"federated security centers, distributed data storage, and secure
inter-node communication" implementation note with a boundary
footnote pointing at commercial tiers
Final grep sweep confirms all remaining "tier" mentions in tracked
OSS docs are boundary footnotes (the preferred pattern from the
hygiene workflow), not paid-tier feature claims.
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
dosubot
Bot
added
the
size:XXL
Summary by CodeRabbit
WalkthroughThis PR removes large swaths of user, API, deployment, and spec documentation and refocuses the repository on the Community (agent-side) tier, adding collector-core and daemoneye-eventbus to the workspace and explicitly pushing commercial/kernel-level collectors and fleet-level responsibilities out-of-repo. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches✨ Simplify code
Warning Review ran into problems🔥 ProblemsThese MCP integrations need to be re-authenticated in the Integrations settings: Linear, Notion Review rate limit: 4/5 reviews remaining, refill in 12 minutes. Comment |
Contributor
Merge ProtectionsYour pull request matches the following merge protections and will not be merged until they are valid. 🟢 Enforce conventional commitWonderful, this rule succeeded.Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for dependabot and dosubot.
🟢 Full CI must passWonderful, this rule succeeded.All CI checks must pass. Activates for non-bot authors, or dependabot when files exist outside .github/workflows/.
🟢 Do not merge outdated PRsWonderful, this rule succeeded.Make sure PRs are within 3 commits of the base branch before merging
|
There was a problem hiding this comment.
Pull request overview
This PR performs a pre-release documentation hygiene pass by removing aspirational user-facing docs and scrubbing paid-tier/commercial-only specifics from the OSS repository documentation set.
Changes:
- Deleted pre-release user-facing docs (deployment, operator/config guides, CLI/API reference) and removed TOC/SUMMARY entries that referenced them.
- Removed duplicated spec docs and a paid-tier-focused steering doc; updated steering docs to reflect only the OSS repo’s shipped components and boundaries.
- Updated remaining docs to reframe tier references as boundary notes and adjust internal cross-links accordingly.
Reviewed changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| spec/tech.md | Deleted older technical stack spec to avoid duplicating/overstating capabilities. |
| spec/structure.md | Deleted older structure spec that included paid-tier components/tiering. |
| docs/src/user-guides/operator-guide.md | Deleted pre-release operator guide content. |
| docs/src/user-guides/configuration.md | Deleted pre-release configuration guide content. |
| docs/src/user-guides.md | Deleted pre-release user-guides index page. |
| docs/src/technical/security_design_overview.md | Reworded a commercial-only distributed processing note to avoid implying in-repo implementation. |
| docs/src/project-overview.md | Removed tier mapping language, corrected cross-platform positioning, and updated “Next steps” links away from deleted docs. |
| docs/src/introduction.md | Reframed intro as pre-release/architecture-focused and removed links to deleted user-facing docs. |
| docs/src/getting-started.md | Updated “Next steps” to point to architecture/technical/security docs instead of deleted operator/config/deployment pages. |
| docs/src/deployment/kubernetes.md | Deleted pre-release Kubernetes deployment guide. |
| docs/src/deployment/installation.md | Deleted pre-release installation guide. |
| docs/src/deployment/docker.md | Deleted pre-release Docker deployment guide. |
| docs/src/deployment/configuration.md | Deleted pre-release deployment configuration guide. |
| docs/src/deployment.md | Deleted pre-release deployment index page. |
| docs/src/cli-reference.md | Deleted pre-release CLI reference page. |
| docs/src/api-reference/core-api.md | Deleted pre-release core API reference page. |
| docs/src/api-reference.md | Deleted pre-release API reference index page. |
| docs/src/SUMMARY.md | Removed SUMMARY entries for deleted user-guide/deployment/api sections. |
| SECURITY.md | Renamed/rewrote enterprise-tier section into community-tier “Planned Hardening” with a commercial-boundary footnote. |
| .kiro/steering/tech.md | Removed enterprise-tier sections and replaced with a boundary note for kernel-level monitoring. |
| .kiro/steering/structure.md | Updated workspace tree to match actual repo components and removed tier tables/paid-tier tables. |
| .kiro/steering/product.md | Deleted paid-tier product overview content. |
Contributor
|
Related Documentation 1 document(s) may need updating based on files changed in this PR: DaemonEye README
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.kiro/steering/structure.md:
- Line 46: Update the modules list in the steering document to reflect the
actual implementation: modify the line that currently lists "config, models,
storage, detection, alerting, crypto, telemetry" to include the two
feature-gated modules from daemoneye-lib (kernel.rs and network.rs) and mark
their feature flags—e.g., append "(feature-gated: kernel-monitoring,
network-correlation)" or add a short parenthetical note indicating they are
Commercial-tier/feature-gated; reference the module names kernel.rs and
network.rs and the feature names kernel-monitoring and network-correlation so
readers know these are gated enterprise features (or alternatively add a
one-sentence removal/timeline note if you intend to deprecate them).
In @.kiro/steering/tech.md:
- Line 132: Replace the compound adjective "commercial tier collectors" with the
hyphenated form "commercial-tier collectors" in the sentence beginning
"Kernel-level monitoring (eBPF / ETW / EndpointSecurity)..." so the compound
adjective is correctly hyphenated before the noun; update the phrase wherever
that exact wording appears to follow the documentation style guide.
In `@docs/src/introduction.md`:
- Line 18: Update the sentence containing "commercial tier collectors" in the
introduction paragraph so the compound adjective is hyphenated: change
"commercial tier collectors" to "commercial-tier collectors" (preserve
surrounding wording in the sentence that begins with "DaemonEye is distributed
as open-core" and references "Commercial tiers (fleet management, GUI,
federation, kernel-level collectors) ..."). Ensure the hyphenated form matches
other boundary statements for consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: fbb8fa24-cc30-4467-8b37-fa48eba6dd23
📒 Files selected for processing (22)
.kiro/steering/product.md.kiro/steering/structure.md.kiro/steering/tech.mdSECURITY.mddocs/src/SUMMARY.mddocs/src/api-reference.mddocs/src/api-reference/core-api.mddocs/src/cli-reference.mddocs/src/deployment.mddocs/src/deployment/configuration.mddocs/src/deployment/docker.mddocs/src/deployment/installation.mddocs/src/deployment/kubernetes.mddocs/src/getting-started.mddocs/src/introduction.mddocs/src/project-overview.mddocs/src/technical/security_design_overview.mddocs/src/user-guides.mddocs/src/user-guides/configuration.mddocs/src/user-guides/operator-guide.mdspec/structure.mdspec/tech.md
💤 Files with no reviewable changes (15)
- docs/src/user-guides/operator-guide.md
- .kiro/steering/product.md
- docs/src/cli-reference.md
- spec/structure.md
- docs/src/deployment/docker.md
- docs/src/user-guides/configuration.md
- docs/src/deployment/configuration.md
- spec/tech.md
- docs/src/user-guides.md
- docs/src/api-reference/core-api.md
- docs/src/deployment/kubernetes.md
- docs/src/api-reference.md
- docs/src/SUMMARY.md
- docs/src/deployment/installation.md
- docs/src/deployment.md
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…ation Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
coderabbitai
Bot
removed
documentation
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@README.md`:
- Around line 163-169: Add an explicit security boundary note referencing
SECURITY.md that clarifies responsibilities for RPC/auth/transport for the
components mentioned (RPC services, daemoneye-eventbus, daemoneye-agent): state
that RPC services require authentication/authorization, enforce transport
security (TLS or OS-level IPC protections) for Unix domain sockets, named pipes
and embedded broker traffic, document who is responsible for fleet-level remote
deployment hardening, and call out that correlation IDs must be treated as
untrusted input (sanitization/logging policy). Place this as a short bullet or
footnote adjacent to the "RPC services" and "Event bus"/"Embedded broker"
entries and add a one-line pointer to SECURITY.md for operational procedures.
- Line 172: The README currently instructs to run the non-existent `just
docs-install` target; update the documentation to use the correct mdBook build
sequence by replacing `just docs-install` with either `mise install && mdbook
build docs` or `just setup && mdbook build docs`, or alternatively add a
`docs-install` target to the Justfile that runs the same setup steps; reference
the existing tooling configs (`mise.toml` and `docs/book.toml`) to ensure the
chosen command matches project setup and update the README line accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 74c6f250-289d-4b8a-b59e-3e55e7262e9f
⛔ Files ignored due to path filters (4)
.gitignoreis excluded by none and included by none.serena/project.ymlis excluded by none and included by nonedocs/README.mdis excluded by none and included by nonemise.lockis excluded by!**/*.lockand included by none
📒 Files selected for processing (2)
README.mdmise.toml
`just --fmt` prefers the bare `set X` form over `set X := true` for boolean defaults. Re-running the formatter against the working tree brings the file back into the format the lint check enforces. This unblocks `just lint-justfile` (and `just ci-check` by extension), which was failing on this drift independently of any other work on the branch. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Rewrite the SECURITY.md content to drop AI-flavored writing patterns that had crept in: circular bullet labels (Defense in Depth: multiple security layers...), generic platitudes in For Users / For Developers, em-dash overuse, the "Note:" hedge, and the "three-component" claim that mismatched the four-bullet component list. Replace circular descriptions with concrete project-specific behavior (procmond/agent/cli ledger access, BLAKE3 chain, IPC framing, audit ledger review steps, CI advisory enforcement). Drop the duplicate If Accepted / If Declined block that restated the response timeline. No policy or contact details changed - all email, PGP, GitHub advisory, and resolution-timeline information is preserved. Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Resolve eight inline review threads from CodeRabbit and Copilot on PR #179: - docs/src/project-overview.md:137 — drop the bare "procfs" claim. procfs was removed from procmond/Cargo.toml in favor of sysinfo; the doc now says "sysinfo (procfs access through the sysinfo abstraction; the workspace does not depend on the procfs crate directly)". - docs/src/introduction.md:14 — drop the "Ed25519-signed events" claim. daemoneye-lib/src/crypto.rs implements BLAKE3 hashing only; Ed25519 is planned, not yet present. Note this explicitly. - .kiro/steering/structure.md:46 — replace the stale six-module list with the actual lib.rs surface: always-on (config, crypto, integrity, ipc, models, proto, storage, telemetry) plus the feature-gated modules (alerting, collection, detection, kernel, network) with their Cargo feature names. Mark kernel/network as commercial-tier-backed. - .kiro/steering/tech.md:132 and docs/src/introduction.md:18 — hyphenate "commercial-tier" when used as a compound adjective before a noun, matching the rest of the boundary statements. - README.md:167 (was :169) — add a SECURITY.md pointer under the RPC services bullet covering transport security, authn/authz, and fleet-level deployment responsibilities. - README.md:172 — replace the broken `just docs-install` reference with the actual workflow: `mise install` (which provisions mdbook + plugins per mise.toml) then `mdbook build docs`. Refs: #179 Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
coderabbitai
Bot
added
the
documentation
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
README.md (1)
172-172:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winDocs build guidance is still inconsistent across the README.
Line 172 correctly uses
mise install+mdbook build docs, but the Requirements section still referencesjust docs-install(non-existent). Please remove or replace that stale command so users get one valid path.Proposed doc fix
-- Optional developer tools: cargo-nextest, cargo-llvm-cov, cargo-audit, cargo-deny, cargo-release, goreleaser, mdbook (install via `just install-tools` and `just docs-install`) +- Optional developer tools: cargo-nextest, cargo-llvm-cov, cargo-audit, cargo-deny, cargo-release, goreleaser, mdbook (install via `just install-tools` or `mise install`)As per coding guidelines,
*.mddocs must be accurate and operationally relevant.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@README.md` at line 172, Update the README.md to remove the stale `just docs-install` reference in the Requirements section and replace it with the correct single path used elsewhere: instruct users to run `mise install` (to install mdBook and plugins) followed by `mdbook build docs`; ensure the Requirements text matches the existing guidance that currently references `mise install` + `mdbook build docs` so there is one consistent, operational command path across the file.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.kiro/steering/structure.md:
- Around line 5-14: The heading "three-component security architecture" is
inconsistent with the listed workspace entries (procmond, daemoneye-agent,
daemoneye-cli, daemoneye-lib, collector-core, daemoneye-eventbus); update the
sentence in the DaemonEye/ header to accurately reflect the structure (e.g.,
"multi-component" or "six-component"), or rephrase to describe the privilege
separation model instead of a numeric component count, and ensure any mention of
"three-component" is removed or corrected throughout the DaemonEye/ section to
preserve architectural consistency.
In `@SECURITY.md`:
- Around line 16-22: Update SECURITY.md to include the missing workspace
components by adding entries for collector-core and daemoneye-eventbus and
describe their trust/privilege boundaries and IPC surfaces: state that
collector-core is a low-level collection crate/binary (or library) used by
procmond with the same elevated/runtime-limited privilege model and explain any
direct kernel/host interactions, and state that daemoneye-eventbus is the
IPC/broker component (its transport, auth model, and which processes
publish/subscribe) and describe its attack surface and mitigation (e.g., auth,
ACLs, encryption). Ensure you reference the existing items (procmond,
daemoneye-agent, daemoneye-cli, daemoneye-lib) and explicitly document how
collector-core and daemoneye-eventbus affect in-repo trust boundaries and IPC
broker assumptions so the security inventory is complete and operationally
actionable.
---
Duplicate comments:
In `@README.md`:
- Line 172: Update the README.md to remove the stale `just docs-install`
reference in the Requirements section and replace it with the correct single
path used elsewhere: instruct users to run `mise install` (to install mdBook and
plugins) followed by `mdbook build docs`; ensure the Requirements text matches
the existing guidance that currently references `mise install` + `mdbook build
docs` so there is one consistent, operational command path across the file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: f40485be-e0f5-4d61-a67b-0576cabfa41c
📒 Files selected for processing (7)
.kiro/steering/structure.md.kiro/steering/tech.mdREADME.mdSECURITY.mddocs/src/introduction.mddocs/src/project-overview.mdjustfile
Two new CodeRabbit threads after the previous push: SECURITY.md:18-22 (individual, Major) The Security Architecture inventory listed three binaries plus daemoneye-lib but omitted collector-core and daemoneye-eventbus, under-documenting the in-repo trust boundaries and IPC/broker attack surface. Added entries for both supporting crates with brief privilege/transport descriptions; reworded the lead-in to say "three supporting library crates" instead of the singular "a shared library". .kiro/steering/structure.md (cluster, holistic sweep) The reviewer flagged the line-5 "three-component security architecture" claim as inconsistent with the six-crate workspace listed below it. Cross-invocation gate fired (this is the second round of factual-accuracy feedback on this same file in this PR), so this commit reads the file holistically and fixes everything stale that I found while in there: - Line 5: "three-component" headline replaced with "privilege-separated runtime architecture within a six-crate workspace" matching the actual layout. - Line 65: MSRV claim updated from "1.85+" to "1.95+", matching Cargo.toml's workspace `rust-version`. - Line 70: malformed commit-instructions.md link (`#\[[file:.github/...]\]`) replaced with a real relative link. - Lines 74-82: stale Module Organization pseudo-code (which hard-coded a six-module list missing integrity, ipc, proto, telemetry, and the feature-gated modules, and had a comment collision on the `storage` line) replaced with a pointer to the authoritative daemoneye-lib section earlier in the doc. - Lines 121-123, 188-189: "DaemonEye_*" env-var prefix and "/etc/DaemonEye/" / "~/.config/DaemonEye/" config paths corrected to the actual lowercase forms used by the codebase (DAEMONEYE_AGENT_*, DAEMONEYE_CLI_*, PROCMOND_*, and lowercase `daemoneye` directories). - Line 194: "project_spec/" replaced with "spec/", which is the directory that actually exists in the workspace. - Line 196: "Operator Guide: User-facing documentation in `docs/`" rewritten to describe the mdBook docs layout, since the user-facing operator guide content was removed earlier in this PR. Refs: #179 Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
coderabbitai
Bot
removed
the
documentation
Comment on lines
25
to
+30
| prettier = "3.8.3" | ||
| actionlint = "1.7.12" | ||
| lychee = "0.23.0" | ||
| markdownlint-cli2 = "0.22.0" | ||
| protobuf = "34.0" | ||
| protoc = "34.0" | ||
| markdownlint-cli2 = "0.22.1" | ||
| protobuf = "34.1" | ||
| protoc = "34.1" |
There was a problem hiding this comment.
This PR is described as a docs hygiene pass, but it also bumps dev-tool versions (markdownlint-cli2, protobuf/protoc) and regenerates the lockfile. Please either (a) mention these tooling bumps explicitly in the PR description/test plan, or (b) split them into a separate PR to keep the docs hygiene change isolated.
| - **SQL injection prevention**: AST validation via sqlparser at rule load time [Implemented]. Execution-time enforcement of the SELECT-only/whitelist policy is [Planned]; the current engine uses category-based pattern matching. | ||
| - **Credential handling**: Secrets come from environment variables or the OS keychain. Nothing is hardcoded. | ||
| - **Attack surface**: No inbound network listeners. Alert delivery is outbound-only. | ||
| - **Audit trail**: BLAKE3 hash-chained audit ledger [Implemented]. Certificate Transparency-style Merkle tree inclusion proofs are [In Progress]; the generator currently returns an empty vec in `crypto.rs`. |
There was a problem hiding this comment.
This line hard-codes an internal implementation detail ("returns an empty vec in crypto.rs") that is likely to become stale and can confuse readers once the code changes. Prefer describing the status at a higher level (e.g., "inclusion proof generation not implemented yet") and, if you want a concrete reference, link to a tracking issue/PR instead of a specific file/behavior.
Suggested change
| - **Audit trail**: BLAKE3 hash-chained audit ledger [Implemented]. Certificate Transparency-style Merkle tree inclusion proofs are [In Progress]; the generator currently returns an empty vec in `crypto.rs`. | |
| - **Audit trail**: BLAKE3 hash-chained audit ledger [Implemented]. Certificate Transparency-style Merkle tree inclusion proofs are [In Progress]; inclusion proof generation is not implemented yet. |
| - **Air-Gap Friendly**: Fully functional offline; no automatic egress | ||
| - **Security-Focused**: Built with security best practices and minimal attack surface | ||
|
|
||
| DaemonEye is distributed as open-core. This repository contains the Community tier — the agent-side foundation. Commercial-tier offerings (fleet management, GUI, federation, kernel-level collectors) extend this foundation and are sold separately through evilbitlabs.io; they are not in this repo. |
There was a problem hiding this comment.
The commercial site is referenced as plain text (evilbitlabs.io). In mdBook (and for link checkers like lychee), it’s more reliable to use an explicit URL (e.g., https://evilbitlabs.io) so it’s consistently rendered as a clickable link and validated correctly.
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.kiro/steering/structure.md (2)
5-24: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick winAdd a Mermaid diagram for privilege separation + IPC/eventbus boundaries.
The document is heavy on structured prose and a text tree (Lines 5-15), but it doesn’t include a Mermaid diagram. Given the security-first goal (“privilege-separated runtime architecture” and IPC broker responsibilities), adding a small Mermaid flow diagram would make operator mental models faster and reduce misinterpretation between crates/binaries.
Example targets:
- privilege boundary:
procmond(elevated) →daemoneye-agent(user-space orchestration) →daemoneye-cli(read-only)- IPC/eventbus boundary: where
daemoneye-eventbussits and what transports are used🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/structure.md around lines 5 - 24, Add a small Mermaid flow diagram after the repo tree that visually shows privilege separation and IPC/eventbus boundaries: create nodes for procmond (elevated), daemoneye-agent (user-space orchestrator), daemoneye-cli (read-only), daemoneye-eventbus (IPC broker), collector-core and daemoneye-lib (shared libs), draw directed edges illustrating procmond → daemoneye-agent → daemoneye-cli for control/visibility and connect each binary to daemoneye-eventbus with labeled edges for transport types (e.g., Unix socket / inproc / RPC), and visually mark the privilege boundary (elevated vs user) so readers can immediately see which crate runs privileged and where IPC goes.
151-157:⚠️ Potential issue | 🟠 Majorstructure.md SQL injection prevention section misrepresents execution-time enforcement maturity.
The SQL Injection Prevention section (Lines 151-157) lists "Prepared statements and parameterized queries only" and "Query whitelist preventing data modification operations" as current security controls. However, SECURITY.md explicitly states that execution-time enforcement is [Planned], with the current engine using category-based pattern matching instead (Line 44). Additionally, "Sandboxed detection rule execution" is listed as [Planned] hardening, not implemented.
Rule execution code in
trigger.rsconfirms AST parsing and pattern validation occur at load time, but there is no evidence of prepared statement binding or runtime sandboxing in the execution path.Update
structure.mdto clearly distinguish between:
- Implemented: AST validation via sqlparser at rule load time; pattern-based injection detection
- Planned: Execution-time whitelist enforcement, prepared statement binding, sandboxed execution with resource isolation
Operators must have accurate threat models. Misaligned documentation creates false confidence in protections that are still in development.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.kiro/steering/structure.md around lines 151 - 157, Update the SQL Injection Prevention section in structure.md to accurately reflect current vs planned controls: mark "AST validation using sqlparser" and "pattern-based injection detection at rule load time" as Implemented, and move "Prepared statements and parameterized queries only", "Query whitelist preventing data modification operations", and "Sandboxed detection rule execution with resource limits" to Planned; reference the runtime behavior confirmed in trigger.rs (AST parsing and pattern validation at load time) in a short note so operators know execution-time enforcement (prepared binding/whitelisting/sandboxing) is not yet implemented.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@SECURITY.md`:
- Around line 27-31: Update SECURITY.md to clarify that CRC32 framing only
detects accidental corruption, and explicitly document the existing optional
token authentication and the planned encryption: state that "CRC32 framing:
detects accidental corruption only, not adversarial tampering"; add a "Token
authentication (current)" bullet explaining the optional blake3-hashed token
exchanged on connection and that it is enabled via the auth_enabled flag in
daemoneye-eventbus to prevent unauthorized local connections; and add an
"Encryption (planned)" bullet noting transport-layer encryption is not yet
implemented. Also update .kiro/steering/structure.md to replace the phrase
"connection authentication and optional encryption" with wording that reflects
active token auth and planned encryption so both docs consistently indicate
token auth is available now and encryption is future work.
---
Outside diff comments:
In @.kiro/steering/structure.md:
- Around line 5-24: Add a small Mermaid flow diagram after the repo tree that
visually shows privilege separation and IPC/eventbus boundaries: create nodes
for procmond (elevated), daemoneye-agent (user-space orchestrator),
daemoneye-cli (read-only), daemoneye-eventbus (IPC broker), collector-core and
daemoneye-lib (shared libs), draw directed edges illustrating procmond →
daemoneye-agent → daemoneye-cli for control/visibility and connect each binary
to daemoneye-eventbus with labeled edges for transport types (e.g., Unix socket
/ inproc / RPC), and visually mark the privilege boundary (elevated vs user) so
readers can immediately see which crate runs privileged and where IPC goes.
- Around line 151-157: Update the SQL Injection Prevention section in
structure.md to accurately reflect current vs planned controls: mark "AST
validation using sqlparser" and "pattern-based injection detection at rule load
time" as Implemented, and move "Prepared statements and parameterized queries
only", "Query whitelist preventing data modification operations", and "Sandboxed
detection rule execution with resource limits" to Planned; reference the runtime
behavior confirmed in trigger.rs (AST parsing and pattern validation at load
time) in a short note so operators know execution-time enforcement (prepared
binding/whitelisting/sandboxing) is not yet implemented.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 84455349-20a8-4416-8b4c-70286146bf63
📒 Files selected for processing (2)
.kiro/steering/structure.mdSECURITY.md
Comment on lines
+27
to
31
| - **Least privilege**: Components run with the minimum permissions they need. procmond is the only component that ever runs elevated, and it drops privileges after collection setup. | ||
| - **Privilege separation**: procmond writes only to the audit ledger; daemoneye-agent reads the audit ledger and reads/writes the event store; daemoneye-cli is read-only. | ||
| - **Validated IPC**: Inter-process messages use protobuf with CRC32 framing checks. There are no inbound network listeners; alert delivery is outbound-only. | ||
| - **Audit trail**: Events are recorded in a BLAKE3 hash-chained ledger. A Certificate Transparency-style Merkle tree with inclusion proofs is in progress. | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
git ls-files | head -20Repository: EvilBit-Labs/DaemonEye
Length of output: 689
🏁 Script executed:
fd -t f "SECURITY\.md"Repository: EvilBit-Labs/DaemonEye
Length of output: 78
🏁 Script executed:
fd -t f "structure\.md"Repository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
find . -type f -name "*.md" | grep -E "(SECURITY|steering|structure)" | head -20Repository: EvilBit-Labs/DaemonEye
Length of output: 313
🏁 Script executed:
wc -l SECURITY.mdRepository: EvilBit-Labs/DaemonEye
Length of output: 82
🏁 Script executed:
cat -n SECURITY.mdRepository: EvilBit-Labs/DaemonEye
Length of output: 8899
🏁 Script executed:
wc -l .kiro/steering/structure.mdRepository: EvilBit-Labs/DaemonEye
Length of output: 98
🏁 Script executed:
cat -n .kiro/steering/structure.mdRepository: EvilBit-Labs/DaemonEye
Length of output: 9532
🏁 Script executed:
fd -t f "ipc\|eventbus" --extension rs | head -20Repository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
fd -t f "\.proto$"Repository: EvilBit-Labs/DaemonEye
Length of output: 164
🏁 Script executed:
rg "authentication|encryption|credential" -t rs --max-count=10Repository: EvilBit-Labs/DaemonEye
Length of output: 93
🏁 Script executed:
find . -path "*/eventbus*" -type f -name "*.rs" | head -10Repository: EvilBit-Labs/DaemonEye
Length of output: 222
🏁 Script executed:
fd -t f eventbus | grep -E "\.(rs|toml)$"Repository: EvilBit-Labs/DaemonEye
Length of output: 396
🏁 Script executed:
find . -type d -name "eventbus"Repository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
rg "struct.*IPC|fn.*auth|fn.*encrypt" -A 3Repository: EvilBit-Labs/DaemonEye
Length of output: 8229
🏁 Script executed:
cat daemoneye-lib/proto/ipc.protoRepository: EvilBit-Labs/DaemonEye
Length of output: 3454
🏁 Script executed:
cat daemoneye-lib/proto/eventbus.protoRepository: EvilBit-Labs/DaemonEye
Length of output: 18935
🏁 Script executed:
wc -l daemoneye-eventbus/src/broker.rsRepository: EvilBit-Labs/DaemonEye
Length of output: 104
🏁 Script executed:
sed -n '1,100p' daemoneye-eventbus/src/broker.rsRepository: EvilBit-Labs/DaemonEye
Length of output: 4233
🏁 Script executed:
rg "authenticate_client|auth_token|SocketConfig" daemoneye-eventbus/src/broker.rs -A 10 -B 2Repository: EvilBit-Labs/DaemonEye
Length of output: 7929
🏁 Script executed:
find daemoneye-eventbus/src -name "*.rs" -type fRepository: EvilBit-Labs/DaemonEye
Length of output: 688
🏁 Script executed:
sed -n '490,530p' daemoneye-eventbus/src/broker.rsRepository: EvilBit-Labs/DaemonEye
Length of output: 1688
🏁 Script executed:
rg "encrypt\|TLS\|crypto" daemoneye-eventbus/src/ -iRepository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
cat daemoneye-eventbus/src/transport.rs | head -150Repository: EvilBit-Labs/DaemonEye
Length of output: 5517
🏁 Script executed:
rg "SocketConfig\|struct SocketConfig" daemoneye-eventbus/src/transport.rs -A 15Repository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
rg "pub struct SocketConfig" -A 25 daemoneye-eventbus/src/transport.rsRepository: EvilBit-Labs/DaemonEye
Length of output: 1195
🏁 Script executed:
rg "crypto|encrypt|cipher|tls|TLS" daemoneye-eventbus/src/ -i --countRepository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
rg "Crypto|Hash|Blake|SHA" daemoneye-lib/src/ | head -20Repository: EvilBit-Labs/DaemonEye
Length of output: 1731
🏁 Script executed:
rg "fn authenticate_client" daemoneye-eventbus/src/broker.rs -A 20Repository: EvilBit-Labs/DaemonEye
Length of output: 1047
🏁 Script executed:
rg "test_auth" daemoneye-eventbus/src/broker.rs -A 15 | head -60Repository: EvilBit-Labs/DaemonEye
Length of output: 2205
🏁 Script executed:
fd -t f "\.rs$" daemoneye-eventbus/src | xargs wc -l | sort -n | tail -5Repository: EvilBit-Labs/DaemonEye
Length of output: 248
🏁 Script executed:
rg "ConnectionAuth|tls\|rustls\|tokio_rustls" --type rustRepository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
sed -n '480,540p' daemoneye-eventbus/src/broker.rsRepository: EvilBit-Labs/DaemonEye
Length of output: 2438
🏁 Script executed:
rg "Encryption|encrypt" daemoneye-eventbus/src/broker.rs daemoneye-eventbus/src/transport.rs -iRepository: EvilBit-Labs/DaemonEye
Length of output: 48
🏁 Script executed:
grep -n "encryption\|encrypt" .kiro/steering/structure.mdRepository: EvilBit-Labs/DaemonEye
Length of output: 136
CRC32 detects accidental corruption only—document the optional token authentication that actually exists, and clarify that "optional encryption" is not yet implemented.
Line 29 correctly identifies CRC32 as integrity framing, not authentication. However, SECURITY.md omits the actual IPC authentication mechanism that already exists: optional blake3-hashed token validation (enabled via auth_enabled flag in daemoneye-eventbus). The .kiro/steering/structure.md structure.md claims "connection authentication and optional encryption," but encryption is not yet implemented in the transport layer—only optional token auth.
Update SECURITY.md to explicitly state:
- CRC32 framing: Detects accidental corruption only, not adversarial tampering
- Token authentication (current): Optional blake3-hashed token exchanged on connection; prevents unauthorized local processes from connecting when enabled
- Encryption (planned): Not yet implemented; document as future work
Ensure consistency across both docs so operators understand which controls are active now (token auth, optional) versus aspirational (encryption).
🧰 Tools
🪛 LanguageTool
[grammar] ~27-~27: Ensure spelling is correct
Context: ...with the minimum permissions they need. procmond is the only component that ever runs el...
(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@SECURITY.md` around lines 27 - 31, Update SECURITY.md to clarify that CRC32
framing only detects accidental corruption, and explicitly document the existing
optional token authentication and the planned encryption: state that "CRC32
framing: detects accidental corruption only, not adversarial tampering"; add a
"Token authentication (current)" bullet explaining the optional blake3-hashed
token exchanged on connection and that it is enabled via the auth_enabled flag
in daemoneye-eventbus to prevent unauthorized local connections; and add an
"Encryption (planned)" bullet noting transport-layer encryption is not yet
implemented. Also update .kiro/steering/structure.md to replace the phrase
"connection authentication and optional encryption" with wording that reflects
active token auth and planned encryption so both docs consistently indicate
token auth is available now and encryption is future work.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pre-release documentation hygiene pass. Removes user-facing docs that describe features users can't actually use yet (the product hasn't shipped a v1.0.0 release) and scrubs paid-tier specifics that violate AGENTS.md's open-core hygiene rules. Follows the eight-phase workflow documented at
docs/solutions/workflow-issues/open-core-hygiene-confluence-migration-2026-04-18.md.Equivalent commercial-tier and user-facing content is preserved in Confluence space ES (verified per file before deletion).
Commits
547b47f— Remove aspirational user-facing docs (install/deployment/operator/API/CLI). 11 markdown files deleted underdocs/src/{deployment,user-guides,api-reference}/plus orphaneddocs/src/cli-reference.md. SUMMARY.md / introduction.md / getting-started.md / project-overview.md updated to drop or rewrite dangling links.928ea19— Scrub paid-tier specifics from steering and spec docs. Deletes.kiro/steering/product.md(pure paid-tier overview),spec/structure.md,spec/tech.md(older duplicates of the steering versions). Edits.kiro/steering/structure.mdand.kiro/steering/tech.mdto drop phantomsecurity-center/directory, Free/Business/Enterprise tier enumeration, Business/Enterprise DB tables, and the Kernel Monitoring (Enterprise Tier) and Enterprise Security Features subsections — replaced with single boundary-acknowledgement footnotes.f8104b8— Remove Enterprise Tier subsection from root SECURITY.md. Reframed as "Planned Hardening (Community Tier)" with only items actually planned for the OSS tier; added a single boundary footnote for fleet-level mTLS.52d59f4— Trim residual paid-tier mentions inproject-overview.md(Organizational Context tier mapping; Cross-Platform Support entries that mislabeled OSS sysinfo collection as Enterprise tier) andsecurity_design_overview.md(SC-36 Distributed Processing federated-SC implementation note).Verification
Test plan
mdbook build(if relevant CI step exists) succeeds with the trimmed SUMMARY.mdAI Disclosure
Used Claude Code (Claude Opus 4.7 (1M Context)) to inventory pollution, plan the four-commit structure, perform surgical edits, and verify each phase. All file changes reviewed before commit. Confluence verification was done by parallel agents reading source-of-truth pages.