{"version": 2, "width": 80, "height": 24, "timestamp": 1782318228, "idle_time_limit": 2.0, "env": {"SHELL": "/bin/bash", "TERM": "unknown"}, "title": "InnerWarden Execution Gate — agent-scoped (test001, OpenClaw)"}
[0.003147, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ InnerWarden Execution Gate — AGENT-SCOPED (spec 083): guard ONLY the AI agent\r\n"]
[0.003551, "o", "──────────────────────────────────────────────────────────\r\n"]
[1.007816, "o", "AI agent: OpenClaw gateway (pid 67946) in cgroup 0::/openclaw-agent\r\n"]
[1.010306, "o", "agent cgroup id = 23160   ·   host: test001  Linux 6.8.0-124-generic  x86_64\r\n"]
[2.51155, "o", "\r\n──────────────────────────────────────────────────────────"]
[2.511827, "o", "\r\n▶ 1. Scope the gate to the agent's cgroup (no license — paywall is on arm)\r\n──────────────────────────────────────────────────────────\r\n"]
[3.515194, "o", "pid 67946 -> /sys/fs/cgroup/openclaw-agent (cgroup id 23160)\r\nagent-scope ON (LSM_POLICY key 4 = 1) — once armed, the gate enforces ONLY inside 1 cgroup(s); the rest of the host is ungated.\r\nnext: `exec-gate arm --apply` to enforce. Scoping alone is inert until the gate is armed.\r\n"]
[3.515445, "o", "EXEC_GATE_SCOPE map (the agent's cgroup id, little-endian):\r\n"]
[3.52086, "o", "key: 78 5a 00 00 00 00 00 00  value: 01\r\nFound 1 element\r\n"]
[3.521307, "o", "LSM_POLICY key 4 (scope flag = 1):\r\n"]
[3.526057, "o", "key: 04 00 00 00  value: 01 00 00 00\r\nkey: 03 00 00 00  value: 00 00 00 00\r\n"]
[5.027636, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ 2. ARM the gate in ENFORCE (paid — Active Defence license)\r\n──────────────────────────────────────────────────────────\r\n"]
[6.1123, "o", "\u001b[2m2026-06-24T16:23:54.264742Z\u001b[0m \u001b[32m INFO\u001b[0m \u001b[2minnerwarden_ad_common::license\u001b[0m\u001b[2m:\u001b[0m license validated \u001b[3mcustomer\u001b[0m\u001b[2m=\u001b[0mtest001-lab \u001b[3mhost\u001b[0m\u001b[2m=\u001b[0m* \u001b[3mvalid_until\u001b[0m\u001b[2m=\u001b[0m2027-06-24 09:02:26.579230251 UTC \u001b[3mfeatures\u001b[0m\u001b[2m=\u001b[0m[LsmAdvanced]\r\ngate ARMED (ENFORCE) for customer test001-lab — 3147 path-hashes loaded (allowlist /etc/innerwarden/exec_allowlist.json, hashes /etc/innerwarden/exec_allowlist.hashes).\r\n"]
[7.623777, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ 3. On the HOST (outside the agent's cgroup): the unknown binary RUNS\r\n──────────────────────────────────────────────────────────\r\n"]
[8.627358, "o", "$ /tmp/rogue-tool\r\n"]
[8.628182, "o", "   ran on the host -> ALLOWED (the host is NOT gated)\r\n"]
[10.129529, "o", "\r\n"]
[10.129908, "o", "──────────────────────────────────────────────────────────\r\n▶ 4. INSIDE the agent's cgroup: the SAME unknown binary is BLOCKED in-kernel\r\n──────────────────────────────────────────────────────────\r\n"]
[11.135463, "o", "$ (join the agent cgroup, then exec) /tmp/rogue-tool\r\n"]
[11.144357, "o", "   -> DENIED: Operation not permitted (-EPERM, kernel gate)\r\nbash: line 1: /tmp/rogue-tool: Success\r\n"]
[13.146017, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ 5. A KNOWN (allowlisted) binary still runs inside the agent's cgroup\r\n──────────────────────────────────────────────────────────"]
[13.146405, "o", "\r\n"]
[14.163896, "o", "   /bin/echo ran inside the agent cgroup -> ALLOWED\r\n"]
[15.666221, "o", "\r\n──────────────────────────────────────────────────────────"]
[15.66656, "o", "\r\n▶ 6. Disarm + unscope (back to host-wide, no license needed)\r\n──────────────────────────────────────────────────────────\r\n"]
[16.672288, "o", "gate DISARMED (LSM_POLICY key 3 -> 0, in-process).\r\n"]
[16.674625, "o", "agent-scope CLEARED — the gate is host-wide again (LSM_POLICY key 4 = 0).\r\n"]
[16.678169, "o", "\r\n"]
[16.678456, "o", "──────────────────────────────────────────────────────────\r\n▶ Result: the agent's exec surface is locked to the allowlist; the host is untouched\r\n──────────────────────────────────────────────────────────"]
[16.678623, "o", "\r\n"]
[17.680225, "o", "Agent-scoped zero-trust: a hijacked OpenClaw can only run pre-authorized\r\nbinaries, enforced in the kernel, while apt/certbot/containers run free.\r\n"]
