From 397ac1aff22b3a7206048940f4ecfb8f6cfaed90 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:09:41 -0400 Subject: [PATCH 1/3] Replay RuntimeIdentityGraph on current main --- examples/runtime_identity_graph.json | 51 +++++++++++++++++++++++ schemas/RuntimeIdentityGraph.json | 60 ++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+) create mode 100644 examples/runtime_identity_graph.json create mode 100644 schemas/RuntimeIdentityGraph.json diff --git a/examples/runtime_identity_graph.json b/examples/runtime_identity_graph.json new file mode 100644 index 0000000..dd96903 --- /dev/null +++ b/examples/runtime_identity_graph.json @@ -0,0 +1,51 @@ +{ + "id": "urn:srcos:runtime-identity-graph:bearbrowser_001", + "type": "RuntimeIdentityGraph", + "specVersion": "2.0.0", + "observedAt": "2026-05-06T22:37:03Z", + "rootComponentRef": "urn:srcos:component:BearBrowser", + "identityVerdict": "degraded", + "nodes": [ + { + "nodeId": "app.bearbrowser", + "nodeKind": "app", + "displayName": "BearBrowser", + "processId": 54990, + "bundleOrPackageId": "application.dev.sourceos.BearBrowser", + "verificationVerdict": "valid" + }, + { + "nodeId": "child.webcontent.54997", + "nodeKind": "browser-child", + "displayName": "WebContent", + "processId": 54997, + "bundleOrPackageId": "com.apple.WebKit.WebContent", + "verificationVerdict": "degraded" + }, + { + "nodeId": "audit.webcontent.54997", + "nodeKind": "audit-token", + "displayName": "WebContent audit token", + "auditIdentity": "audit-token-unresolved", + "verificationVerdict": "ambiguous" + } + ], + "edges": [ + { + "from": "app.bearbrowser", + "to": "child.webcontent.54997", + "relationship": "spawned" + }, + { + "from": "child.webcontent.54997", + "to": "audit.webcontent.54997", + "relationship": "observed-as" + } + ], + "evidenceRefs": [ + "urn:srcos:telemetry:te_invalid_product_id", + "urn:srcos:telemetry:te_audit_token_unresolved" + ], + "userVisibleImpact": "A browser child process launched, but its runtime identity could not be fully resolved.", + "remediationHint": "Verify child-process package identity, audit-token mapping, and broker registration before allowing page load." +} diff --git a/schemas/RuntimeIdentityGraph.json b/schemas/RuntimeIdentityGraph.json new file mode 100644 index 0000000..f3df1c6 --- /dev/null +++ b/schemas/RuntimeIdentityGraph.json @@ -0,0 +1,60 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/RuntimeIdentityGraph.json", + "title": "RuntimeIdentityGraph", + "description": "A runtime identity graph connecting process, package, executable, helper, broker, profile, session, and audit-token identity observations.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "observedAt", + "rootComponentRef", + "identityVerdict", + "nodes" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:runtime-identity-graph:" }, + "type": { "const": "RuntimeIdentityGraph" }, + "specVersion": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" }, + "rootComponentRef": { "type": "string", "minLength": 1 }, + "identityVerdict": { "enum": ["valid", "degraded", "missing", "ambiguous", "invalid", "unknown"] }, + "nodes": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "additionalProperties": false, + "required": ["nodeId", "nodeKind", "displayName"], + "properties": { + "nodeId": { "type": "string", "minLength": 1 }, + "nodeKind": { "enum": ["app", "daemon", "xpc-service", "browser-child", "terminal-helper", "broker", "extension", "package", "profile", "session", "audit-token", "executable"] }, + "displayName": { "type": "string", "minLength": 1 }, + "processId": { "type": "integer", "minimum": 0 }, + "bundleOrPackageId": { "type": "string" }, + "executableDigest": { "type": "string" }, + "auditIdentity": { "type": "string" }, + "verificationVerdict": { "enum": ["valid", "degraded", "missing", "ambiguous", "invalid", "unknown"] } + } + } + }, + "edges": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": ["from", "to", "relationship"], + "properties": { + "from": { "type": "string" }, + "to": { "type": "string" }, + "relationship": { "enum": ["spawned", "owns", "brokers", "uses-profile", "runs-as", "attests", "packages", "observed-as", "unknown"] } + } + } + }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleImpact": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From 34c89becce6d9486ce6d8e4b5680e525814ba10d Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:12:42 -0400 Subject: [PATCH 2/3] Use synthetic RuntimeIdentityGraph example --- examples/runtime_identity_graph.json | 40 ++++++++++++++-------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/examples/runtime_identity_graph.json b/examples/runtime_identity_graph.json index dd96903..23436d5 100644 --- a/examples/runtime_identity_graph.json +++ b/examples/runtime_identity_graph.json @@ -1,51 +1,51 @@ { - "id": "urn:srcos:runtime-identity-graph:bearbrowser_001", + "id": "urn:srcos:runtime-identity-graph:synthetic-browser-001", "type": "RuntimeIdentityGraph", "specVersion": "2.0.0", "observedAt": "2026-05-06T22:37:03Z", - "rootComponentRef": "urn:srcos:component:BearBrowser", + "rootComponentRef": "urn:srcos:component:synthetic-browser-surface", "identityVerdict": "degraded", "nodes": [ { - "nodeId": "app.bearbrowser", + "nodeId": "app.synthetic-browser", "nodeKind": "app", - "displayName": "BearBrowser", - "processId": 54990, - "bundleOrPackageId": "application.dev.sourceos.BearBrowser", + "displayName": "Synthetic Browser Surface", + "processId": 1000, + "bundleOrPackageId": "application.example.synthetic-browser", "verificationVerdict": "valid" }, { - "nodeId": "child.webcontent.54997", + "nodeId": "child.synthetic-content.1001", "nodeKind": "browser-child", - "displayName": "WebContent", - "processId": 54997, - "bundleOrPackageId": "com.apple.WebKit.WebContent", + "displayName": "Synthetic Content Surface", + "processId": 1001, + "bundleOrPackageId": "application.example.synthetic-content", "verificationVerdict": "degraded" }, { - "nodeId": "audit.webcontent.54997", + "nodeId": "audit.synthetic-content.1001", "nodeKind": "audit-token", - "displayName": "WebContent audit token", + "displayName": "Synthetic content audit token", "auditIdentity": "audit-token-unresolved", "verificationVerdict": "ambiguous" } ], "edges": [ { - "from": "app.bearbrowser", - "to": "child.webcontent.54997", + "from": "app.synthetic-browser", + "to": "child.synthetic-content.1001", "relationship": "spawned" }, { - "from": "child.webcontent.54997", - "to": "audit.webcontent.54997", + "from": "child.synthetic-content.1001", + "to": "audit.synthetic-content.1001", "relationship": "observed-as" } ], "evidenceRefs": [ - "urn:srcos:telemetry:te_invalid_product_id", - "urn:srcos:telemetry:te_audit_token_unresolved" + "urn:srcos:telemetry:synthetic-identity-degraded", + "urn:srcos:telemetry:synthetic-audit-token-unresolved" ], - "userVisibleImpact": "A browser child process launched, but its runtime identity could not be fully resolved.", - "remediationHint": "Verify child-process package identity, audit-token mapping, and broker registration before allowing page load." + "userVisibleImpact": "A synthetic child surface launched, but its runtime identity could not be fully resolved.", + "remediationHint": "Verify child-surface package identity, audit-token mapping, and broker registration before allowing page load." } From d918f86dd9312fe66cd66d4175bea23811da7f29 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:13:21 -0400 Subject: [PATCH 3/3] Validate RuntimeIdentityGraph pair --- tools/validate_runtime_causality_examples.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tools/validate_runtime_causality_examples.py b/tools/validate_runtime_causality_examples.py index 3b6cb1b..d0496b5 100644 --- a/tools/validate_runtime_causality_examples.py +++ b/tools/validate_runtime_causality_examples.py @@ -13,16 +13,13 @@ (ROOT / "schemas" / "SecurityVerdictState.json", ROOT / "examples" / "security_verdict_state.json"), (ROOT / "schemas" / "NetworkTruthState.json", ROOT / "examples" / "network_truth_state.json"), (ROOT / "schemas" / "BrowserLaunchTransaction.json", ROOT / "examples" / "browser_launch_transaction.json"), + (ROOT / "schemas" / "RuntimeIdentityGraph.json", ROOT / "examples" / "runtime_identity_graph.json"), (ROOT / "schemas" / "DesktopServiceBrokerState.json", ROOT / "examples" / "desktop_service_broker_state.json"), (ROOT / "schemas" / "MaintenanceEpoch.json", ROOT / "examples" / "maintenance_epoch.json"), (ROOT / "schemas" / "RuntimeRegistryIntegrityRecord.json", ROOT / "examples" / "runtime_registry_integrity_record.json"), (ROOT / "schemas" / "BootSessionPhaseState.json", ROOT / "examples" / "boot_session_phase_state.json"), (ROOT / "schemas" / "DiagnosticStormRecord.json", ROOT / "examples" / "diagnostic_storm_record.json"), ] -DEFERRED = [ - "schemas/RuntimeIdentityGraph.json", - "examples/runtime_identity_graph.json", -] def validate_pair(schema_path: Path, example_path: Path) -> None: @@ -37,7 +34,7 @@ def main() -> int: for schema_path, example_path in PAIRS: validate_pair(schema_path, example_path) checks[example_path.name] = True - print(json.dumps({"ok": all(checks.values()), "checks": checks, "deferred": DEFERRED}, indent=2, sort_keys=True)) + print(json.dumps({"ok": all(checks.values()), "checks": checks}, indent=2, sort_keys=True)) return 0