Stentorian Guard

When a compromised dependency tries to phone home, Guard severs the line.

// outbound denied

Every tool runs code you did not write.

Build scripts, test fixtures, deploy helpers, and vendored CLIs can all try to reach the network. Guard wraps the command, denies unreviewed outbound calls, and leaves a local audit trail.

~/work/my-app
~ $ stt-guard wrap cargo build --releaserepresentative transcript   Compiling proc-macro2 v1.0.82   Compiling syn v2.0.66   Compiling fast-helper-sys v0.6.3   Running build script for fast-helper-sysnetwork denied  build-script-build → 178.62.45.211:9001
                   process : target/debug/build/.../build-script-build
                   parent  : cargo build --release
                   reason  : confirmed-deny policy matcherror: failed to run custom build command for `fast-helper-sys v0.6.3`error: build script exited with status 1 ~ $ stt-guard status denials 9f3b...  178.62.45.211 (port 9001)  source_kind=confirmed-deny~ $ 

// under the hood

Layered checks. Written in Rust.

Guard stays in user space, but not on one check. The CLI, daemon, signed snapshots, hook, and exec classification share the boundary.

$acme.sh
without Guard
$acme.sh
Unrestricted Process
C2
With guard
$acme.sh
stt-guard wrap
Interposed Process
stt-guard-daemon
C2
C2

// security architecture

Tamper, spoof, bypass: DENIED.

Guard assumes wrapped code may try to tamper, spoof, bypass libc, or race the daemon. Enforcement is split across signed snapshots, authenticated IPC, exec-tier checks, and fail-closed paths.

  • sudo init

    Tamper-resistant install

    Setup deploys root-owned binaries under /usr/local/libexec/stt-guard/, creates the _stt_guard service user, and starts a root-managed LaunchDaemon.

  • daemon

    Authenticated policy core

    The daemon owns state, snapshots, and logs as _stt_guard. A reachable socket is not enough; peers are checked with audit tokens, codesign identity, and message policy.

  • signer

    Non-forgeable policy authority

    A non-exportable Secure Enclave P-256 key signs trusted policy artifacts. The daemon can verify signatures, but does not hold a private key malware could steal or forge with.

  • exec tiers

    Bypass-aware child checks

    Before exec, Guard classifies the target. Reviewed runtimes and clean scripts continue; hardened runtime, privilege escalation, unsupported formats, and raw-syscall patterns are blocked.

  • hook

    Fail-closed enforcement path

    The injected dylib verifies its signed per-run snapshot and enforces locally on cache hits. Invalid snapshots, untrusted signatures, IPC timeouts, and coverage gaps become denies.

  • watchdog + logs

    Recovery and local evidence

    The watchdog checks daemon liveness. Denials, prompt outcomes, exec gaps, and persistence events are written to service-owned logs that wrapped user processes cannot casually rewrite.

// before you install

Short answers.

Is Guard a sandbox?

No. Guard is user-space interposition for stt-guard wrap process trees. It fails closed on known coverage gaps, but it is not a VM, kernel sandbox, or hermetic build environment.

Does Guard need root?

Yes, for the supported install. The installer uses sudo once to deploy root-owned binaries, create the _stt_guard service user, enroll a Secure Enclave rule-signing key, and run the daemon as a LaunchDaemon. wrap and status refuse to run if that hardened install is unhealthy.

Will it slow my installs?

Cache-hit network decisions stay under the 100µs hot-path budget, and most calls aren't network calls. Misses can pay IPC, DNS, or prompt latency.

What happens with hardened-runtime binaries?

Hardened-runtime binaries reject DYLD_INSERT_LIBRARIES by design. Guard treats that as a coverage gap and fails closed by blocking exec into unsupported hardened children from wrapped subtrees.

Does Guard fetch threat intel at runtime?

Nothing at runtime. Guard ships with reviewed OSV.dev malicious-package advisories and hand-curated abuse-pattern rules baked into the release artifact. Release automation refreshes those sources; the installed daemon does not pull feeds.

Will Guard send my data?

No. Guard has no analytics path, no cloud tier, and no runtime telemetry. Status and forensic data stay on the machine.

How is this different from npm audit?

Audit and SCA tools match known vulnerable or malicious packages in dependency metadata. Guard adds a runtime egress boundary: when an install script, dependency, CLI, or wrapped installer tries to connect out, policy decides before the connection leaves the machine. Keep audit and Dependabot; Guard covers a different moment.

What platforms are supported?

macOS is the supported target. Linux exists for development work only; Windows is not planned.

License?

MIT or Apache-2.0, your pick. Standard Rust dual-license.

// install

Cut off the phone line.

One command. Wrap your next install — and let the next dependency that tries to dial out hit a wall instead.

curl -fsSL https://stentorian.io/guard/install.sh | sh