ATLAS/TRUST MODEL/LIFECYCLE/THE CLEAN ROOM SHEET A / 01

The Clean Room

Four layers of validation — deterministic, content, sandbox, composition.

CLEAN ROOM PIPELINE — VALIDATION ACTIVITY
SHEET A / 01 CLEAN ROOM PIPELINE — VALIDATION ACTIVITY REJECT INTAKE Envelope arrives intake seam Intake v1 envelope seam Frozen contract between arc and registry Sigstore verify cosign + Rekor v2 SIG? FAIL PASS LAYER 0 — ATTRIBUTE GATE Required attributes README sanity Namespace conflict License recognised ALL PASS? HARD FAIL PASS LAYER 1 — DETERMINISTIC Manifest schema validate Capability canonicalise Capability canonicalisation Normalise paths, reject symlinks and .. Forbidden path denylist Static code scan LAYER 1.5 — COMPOSITION (bundles only) Resolve references → SHA-256 Union CapabilityDeclaration Dangerous-composition flags Compose-twin flags Static advisory for dangerous combos No nested bundles Reference-manifest model No nested bundles — flat references only LAYER 2 — CONTENT Secret / credential scan Injection pattern scan Encoded-payload decoder RE2 regex engine match_hash not raw echo (R12) LAYER 3 — QUARANTINE SANDBOX Tier topology capability-based Tier topology selector Risk level determines sandbox type: Wasmtime / CF Container / Firecracker Wasmtime ★ default tier CF Containers ● / ◆ network + Landlock Firecracker ○ / ◐ untrusted (via spawn) Execution Observer deterministic evidence LLM Narrator advisory only Counterfactual run behavioural divergence Counterfactual runs Divergence between runs = auto-flag Validation Report converged evidence OUTPUT Validation report + reviewer checklist Append to audit log hash-chained + Rekor witness FIVE VALIDATION LAYERS, THREE SANDBOX TIERS, DUAL EVIDENCE PATHS Intake seam · Tier topology · Counterfactual analysis · Capability canonicalisation · Reference-manifest verification
L0 · ATTRIBUTE GATE

Layer 0 — Attribute Gate

Before any expensive analysis runs, the clean room applies the attribute gate — a cheap lint that checks the submission envelope. Required attributes per blueprint type, a valid README, license declaration, namespace conflict check, and rate-limit enforcement all happen here.

If the gate rejects, nothing downstream runs. This keeps the cost of spam and malformed submissions near zero. The gate appends its decision to the hash-chained audit log before passing control to L1.

L1 · DETERMINISTIC ANALYSIS

Layer 1 — Deterministic Analysis

Layer 1 runs static code scans and manifest schema validation. Every capability declared in the manifest is compared against what the code actually imports or calls. Canonicalisation normalises the bundle into a standard form so that obfuscation tricks (whitespace, encoding, dead-code wrapping) don’t bypass the scanner.

For bundles (multi-blueprint packages), L1.5 adds composition checks: reference resolution, union capability analysis, and compose-twin flags. A bundle whose combined capabilities exceed the sum of its parts is flagged automatically.

L2 · CONTENT SCAN

Layer 2 — Content Scan

Content scanning targets what static analysis misses. Three sub-passes run in sequence:

Secret detection — regex + entropy scan for API keys, tokens, credentials, and PII accidentally bundled into the blueprint.

Injection pattern scan — known prompt-injection templates, shell-escape sequences, and path-traversal payloads matched against an open-source rule set.

Decoder chain (RE2) — multi-layer encoding detection. Base64-wrapped payloads, hex-encoded strings, and nested encodings are unwrapped and re-scanned. The RE2 engine guarantees linear-time matching with no catastrophic backtracking.

L3 · QUARANTINE SANDBOX

Layer 3 — Quarantine Sandbox

The blueprint is executed in an isolated environment — the aquarium — where it believes it owns a real machine but actually sees only decoy data. Two runs execute with different decoy sets. If the blueprint’s behaviour diverges between runs, it is auto-flagged: a well-behaved blueprint should produce the same outputs regardless of the decoy environment.

An Execution Observer (deterministic, source of truth) records every syscall, network request, and file operation. An LLM Narrator provides advisory commentary but is never authoritative — on disagreement, the Observer wins.

ADVERSARY COVERAGE

Defends against

ADVERSARY MATRIX
  • A1 — Capability escalation — declaring fewer capabilities than actually used
  • A2 — Obfuscated payloads — base64-wrapped or encoded malicious code
  • A3 — Data exfiltration — covert channels via DNS, HTTP, or filesystem
  • A4 — Prompt injection — embedded instructions that hijack downstream agents
  • A5 — Supply-chain substitution — replacing a dependency after review
  • A6 — Time-bomb activation — benign on first run, malicious on Nth run
  • A7 — Credential harvesting — reading secrets from the host environment
  • A8 — Sandbox detection — altering behaviour when isolation is detected
  • A9 — Composition exploit — safe alone, malicious when bundled together
  • A10 — Reviewer fatigue — burying malice in a large, boring submission
← Back to Lifecycle Trust Model →