{"version": 2, "width": 80, "height": 24, "timestamp": 1782291853, "idle_time_limit": 2.0, "env": {"SHELL": "/bin/bash", "TERM": "unknown"}, "title": "InnerWarden Execution Gate — live enforce proof (test001, k6.8)"}
[0.004215, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ InnerWarden Execution Gate — kernel-enforced exec allowlist\r\n──────────────────────────────────────────────────────────\r\n"]
[1.007897, "o", "innerwarden 0.15.24\r\n"]
[1.009539, "o", "host: test001  ·  Linux 6.8.0-124-generic  ·  x86_64  ·  no containers\r\n"]
[2.510904, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ The gate ships INERT in the open-source sensor (OFF by default)\r\n──────────────────────────────────────────────────────────\r\n"]
[3.573026, "o", "mode: Disarmed\r\n"]
[3.573295, "o", "entries: 1267 (safe=1267, pending-review=0)\r\nboot-essentials on disk: 21 ; unseeded: 0\r\nsafe to arm (all essentials seeded).\r\n"]
[5.075181, "o", "\r\n──────────────────────────────────────────────────────────\r\n"]
[5.075412, "o", "▶ Pre-arm safety: rehearse must report ZERO would-deny\r\n──────────────────────────────────────────────────────────\r\n"]
[6.16152, "o", "rehearsal: 36 candidate exec path(s) checked against 3133 enforced path-hash(es)\r\n✓ zero-deny — every boot-essential and currently-running binary is covered. SAFE to arm.\r\n"]
[8.163639, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ ARM in ENFORCE  (paid — requires an Active Defence license)\r\n"]
[8.163676, "o", "──────────────────────────────────────────────────────────\r\n"]
[9.167345, "o", "\u001b[2m2026-06-24T09:04:22.410399Z\u001b[0m \u001b[33m WARN\u001b[0m \u001b[2minnerwarden_ad_common::license\u001b[0m\u001b[2m:\u001b[0m using development license key - signature check skipped\r\n\u001b[2m2026-06-24T09:04:22.410417Z\u001b[0m \u001b[32m INFO\u001b[0m \u001b[2minnerwarden_ad_common::license\u001b[0m\u001b[2m:\u001b[0m license validated \u001b[3mcustomer\u001b[0m\u001b[2m=\u001b[0mtest001-lab \u001b[3mhost\u001b[0m\u001b[2m=\u001b[0m* \u001b[3mvalid_until\u001b[0m\u001b[2m=\u001b[0m2027-06-24 09:02:26.579230251 UTC \u001b[3mfeatures\u001b[0m\u001b[2m=\u001b[0m[LsmAdvanced]\r\n"]
[9.252164, "o", "gate ARMED (ENFORCE) for customer test001-lab — 3133 path-hashes loaded (allowlist /etc/innerwarden/exec_allowlist.json, hashes /etc/innerwarden/exec_allowlist.hashes).\r\n"]
[10.314655, "o", "mode: Armed\r\n"]
[10.314971, "o", "entries: 1267 (safe=1267, pending-review=0)\r\nboot-essentials on disk: 21 ; unseeded: 0\r\nsafe to arm (all essentials seeded).\r\n"]
[11.816883, "o", "\r\n"]
[11.816926, "o", "──────────────────────────────────────────────────────────\r\n▶ A KNOWN, allowlisted binary still runs\r\n──────────────────────────────────────────────────────────\r\n"]
[12.819885, "o", "   /bin/echo executed  ->  ALLOWED by the gate\r\n"]
[14.321662, "o", "\r\n──────────────────────────────────────────────────────────\r\n"]
[14.321698, "o", "▶ An UNKNOWN binary is BLOCKED at exec — in the kernel\r\n──────────────────────────────────────────────────────────\r\n"]
[15.325504, "o", "$ /tmp/unknown_intruder   # same bytes as echo, unknown path\r\n"]
[15.325898, "o", "/tmp/iw_gate_proof.sh: line 35: /tmp/unknown_intruder: Operation not permitted\r\n"]
[15.326458, "o", "   ->  DENIED: exec blocked by the kernel gate (-EPERM)\r\n"]
[17.327569, "o", "\r\n──────────────────────────────────────────────────────────\r\n▶ DISARM — the safety valve (no license needed to turn off)\r\n──────────────────────────────────────────────────────────\r\n"]
[18.334708, "o", "gate DISARMED (LSM_POLICY key 3 -> 0, in-process).\r\n"]
[19.336496, "o", "Same binary now runs again (gate is off):\r\n"]
[19.337477, "o", "   box healthy — gate disarmed\r\n"]
[19.33887, "o", "\r\n"]
[19.339108, "o", "──────────────────────────────────────────────────────────\r\n▶ Result: unknown exec blocked in-kernel · known allowed · clean disarm\r\n──────────────────────────────────────────────────────────\r\n"]
[20.34079, "o", "The moat: an allowlist the agent cannot bypass, enforced below userspace.\r\n"]
