Stentorian Guard

// outbound denied

Every tool runs code you did not write.

Build scripts, test fixtures, deploy helpers, and vendored CLIs can all try to reach the network. Guard wraps the command, denies unreviewed outbound calls, and leaves a local audit trail.

~/work/my-app

~ $ stt-guard wrap cargo build --releaserepresentative transcript   Compiling proc-macro2 v1.0.82   Compiling syn v2.0.66   Compiling fast-helper-sys v0.6.3   Running build script for fast-helper-sysnetwork denied  build-script-build → 178.62.45.211:9001
                   process : target/debug/build/.../build-script-build
                   parent  : cargo build --release
                   reason  : confirmed-deny policy matcherror: failed to run custom build command for `fast-helper-sys v0.6.3`error: build script exited with status 1 ~ $ stt-guard status denials 9f3b...  178.62.45.211 (port 9001)  source_kind=confirmed-deny~ $

~ $ stt-guard wrap npm testrepresentative transcript> my-app@1.0.0 test> jest --runInBand PASS   src/util.test.ts  (3 tests) RUNS   src/integration.test.tsnetwork denied  node → c2.tinyurl-shop.xyz:443
                   process : node node_modules/event-stream-fork/index.js
                   parent  : jest --runInBand
                   reason  : suspect-deny policy match FAIL   src/integration.test.ts   ● dependency network call denied — see stt-guard status denialsTest Suites: 1 failed, 1 passed, 2 total ~ $ stt-guard status denials 17aa...  c2.tinyurl-shop.xyz (port 443)  source_kind=suspect-deny~ $

~ $ stt-guard wrap python ./scripts/deploy.py --env prodrepresentative transcriptloading config from ./deploy.ymlresolving image digests...network denied  python → 91.107.236.18:8443
                   process : python (importing requessts)
                   parent  : python ./scripts/deploy.py
                   reason  : raw-ip-no-dns hard ruleTraceback (most recent call last):  File "deploy.py", line 7, in <module>    import requesstsConnectionError: blocked by stt-guard ~ $ stt-guard status denials a81c...  91.107.236.18 (port 8443)  source_kind=raw-ip-no-dns~ $

~ $ stt-guard wrap ./vendor/repo-cli sync --allrepresentative transcriptrepo-cli 2.4.0 — syncing 14 repositories  ✓ resolved 14 remotes  ✓ fetched 12 of 14network denied  repo-cli → telemetry.repo-cli.io:443
                   process : ./vendor/repo-cli
                   parent  : stt-guard wrap ./vendor/repo-cli sync
                   reason  : default-deny policy matchrepo-cli: warning: telemetry endpoint unreachable, continuing  ✓ fetched 14 of 14✓ sync complete in 6.3s ~ $ stt-guard status denials bd42...  telemetry.repo-cli.io (port 443)  source_kind=default-deny~ $

// under the hood

Layered checks. Written in Rust.

Guard stays in user space, but not on one check. The CLI, daemon, signed snapshots, hook, and exec classification share the boundary.

Registers the root before user code starts.

entrypoint stt-guard wrap <cmd>

root-managed service Guard daemon

Owns state, verifies clients, and records daemon-backed decisions.

Freezes policy, threat intel, and fail-closed state.

signed input Per-run snapshot

wrapped subtree libc calls

interposition layer stt-guard-hook.dylib

decision order Policy tiers

DNS, connect, exec, and persistence calls pass through here.

Runtime choke point for the wrapped process tree.

Hard rules first; allow and deny tiers after.

local fast path In-process cache

Repeated decisions stay in-process with no IPC.

Coverage gaps and bypass patterns fail closed.

coverage gate Exec classifier

local evidence Forensic log

Denials, prompts, exec gaps, and persistence events stay local.

// security architecture

Tamper, spoof, bypass: denied.

Guard assumes wrapped code may try to tamper, spoof, bypass libc, or race the daemon. Enforcement is split across signed snapshots, authenticated IPC, exec-tier checks, and fail-closed paths.

sudo init

Tamper-resistant install

Setup deploys root-owned binaries under /usr/local/libexec/stt-guard/, creates the _stt_guard service user, and starts a root-managed LaunchDaemon.

daemon

Authenticated policy core

The daemon owns state, snapshots, and logs as _stt_guard. A reachable socket is not enough; peers are checked with audit tokens, codesign identity, and message policy.

signer

Non-forgeable policy authority

A non-exportable Secure Enclave P-256 key signs trusted policy artifacts. The daemon can verify signatures, but does not hold a private key malware could steal or forge with.

exec tiers

Bypass-aware child checks

Before exec, Guard classifies the target. Reviewed runtimes and clean scripts continue; hardened runtime, privilege escalation, unsupported formats, and raw-syscall patterns are blocked.

hook

Fail-closed enforcement path

The injected dylib verifies its signed per-run snapshot and enforces locally on cache hits. Invalid snapshots, untrusted signatures, IPC timeouts, and coverage gaps become denies.

watchdog + logs

Recovery and local evidence

The watchdog checks daemon liveness. Denials, prompt outcomes, exec gaps, and persistence events are written to service-owned logs that wrapped user processes cannot casually rewrite.

// what it isn't

A defense-in-depth layer, not a sandbox.

Loud about quality means honest about scope. Here's what Guard does not do.

It is not a sandbox.
Guard is user-space interposition for wrapped process trees. It fails closed on known coverage gaps, but it is not a VM, kernel sandbox, or hermetic build environment.
It is not system-wide.
Guard enforces inside stt-guard wrap subtrees. Processes launched outside that tree are outside the current enforcement scope.
It is not malware detection.
Guard does not decide whether code is safe. It denies outbound access by policy, threat intel, and default-deny rules.
It does not replace the rest of your supply-chain stack.
Keep lockfiles, audit tools, Dependabot/SCA, code review, and EDR. Guard adds a local egress boundary when code runs.

// support the work

Fund the next thing it catches.

If Guard blocks something you did not want, sponsorship helps pay for the release, review, and testing work behind that moment.

Recurring or one-off

GitHub Sponsors

Choose a one-time, monthly, or annual sponsorship. Contributions go directly to maintenance and release work.

Sponsor on GitHub

A monthly coffee is enough - if Guard blocks one install you would rather not explain later, that is a pretty good return on a coffee.If you'd rather not, starring the repo and spreading the word helps too; sponsorship does not change what the tool does or who it protects.

// before you install

Short answers.

Does Guard need root?

Yes, for the supported install. The installer uses sudo once to deploy root-owned binaries, create the _stt_guard service user, enroll a Secure Enclave rule-signing key, and run the daemon as a LaunchDaemon. wrap and status refuse to run if that hardened install is unhealthy.

Will it slow my installs?

Cache-hit network decisions stay under the 100µs hot-path budget, and most calls aren't network calls. Misses can pay IPC, DNS, or prompt latency.

What happens with hardened-runtime binaries?

Hardened-runtime binaries reject DYLD_INSERT_LIBRARIES by design. Guard treats that as a coverage gap and fails closed by blocking exec into unsupported hardened children from wrapped subtrees.

Does Guard fetch threat intel at runtime?

Nothing at runtime. Guard ships with reviewed OSV.dev malicious-package advisories and hand-curated abuse-pattern rules baked into the release artifact. Release automation refreshes those sources; the installed daemon does not pull feeds.

Will Guard send my data?

No. Guard has no analytics path, no cloud tier, and no runtime telemetry. Status and forensic data stay on the machine.

How is this different from npm audit?

Audit and SCA tools match known vulnerable or malicious packages in dependency metadata. Guard adds a runtime egress boundary: when an install script, dependency, CLI, or wrapped installer tries to connect out, policy decides before the connection leaves the machine. Keep audit and Dependabot; Guard covers a different moment.

What platforms are supported?

macOS is the supported target. Linux exists for development work only; Windows is not planned.

License?

MIT or Apache-2.0, your pick. Standard Rust dual-license.