v0.3.0 — MCP server, web dashboard, expanded eBPF sensor

Builds on v0.2.0 (native eBPF sensor + hardened provenance gates).

Highlights

AI surface

• Stdio MCP server (agentprov ai mcp, JSON-RPC 2.0) over the same internal/aitools catalog as the provider adapters — one contract, no drift.
• Context-write tools (bind_scope, record_tool_call): an agent can assert its own app-side context, app-asserted only — never fabricating system events or signatures.

Web dashboard (agentprov dashboard serve)

• Local, read-only, single-page view over the verifiable graph: the causality DAG (model intent → action → policy → risk → response) as the signature panel, plus verify/signature status, signals/risk, paged timeline, process tree, and egress (with resolved DNS). Embedded UI, no external assets.

Expanded native eBPF sensor (validated live on an arm64 lab VM)

• Sensitive file reads → secret_path (reading a credential file is no longer invisible).
• Privilege escalation: setuid / setgid / ptrace; file tamper: rename / unlink.
• DNS via getaddrinfo uprobe; TLS plaintext → privacy-safe HTTP metadata + llm_call pairing; process_exit closes correlation windows.
• In-kernel noise filtering before ring-buffer reserve, fixing a containerd-teardown firehose that dropped real events.

Policy — privilege-escalation rules: ptrace and setuid/setgid-to-root → quarantine (without flagging the runtime's benign privilege drop).

Docs — refreshed README + architecture SVGs.

Known gaps / follow-ups (honest)

• DNS: getaddrinfo (glibc) is validated; the universal UDP / musl path is partial.
• ptrace probe loads but was not triggered in test.
• Sensor is arm64 only; IPv6/UDP, HTTP/2 HPACK decode, and multi-arch (x86) are follow-ups.

v0.2.0 - Native eBPF Sensor Ingest and Hardened Provenance Gates

Native eBPF Sensor Ingest and Hardened Provenance Gates

This release adds AgentProvenance's own Linux eBPF sensor and wires its telemetry
end to end into the correlation -> risk -> unified-signal pipeline, plus a round
of provenance/correlation hardening and adversarial acceptance gates. It is a
feature milestone on top of v0.1.0, not yet v1 (see Boundary).

Highlights

• Self-owned eBPF sensor for exec / file-write / network-connect telemetry
  (cmd/agentprov-sensor, internal/sensor; CO-RE, Linux). Verified live on a
  Linux lab VM against a real container (genuine kernel events, not fixtures).
• Native sensor JSONL ingest into the provenance/risk pipeline: the sensor's
  normalized output is auto-detected (--format native, source=agentprov_ebpf)
  and flows through the same correlation -> policy -> risk -> unified security
  signal path as Falco/Tetragon. Supports piping the sensor straight into ingest
  (agentprov-sensor | agentprov telemetry ingest-jsonl --file -).
• ToolCallScope correlation hardening: raw events need no tool_call_id;
  child / async / delayed events attribute to the original scope via
  container/cgroup + time window; correlation provenance is now labelled
  (self_observed vs kernel_correlated) so a self-join is not mistaken for
  independent corroboration.
• Evidence tamper-detection acceptance: graph verify detects both an edited
  content-addressed object file (object_hash_mismatch) and a directly edited
  in-DB row (record_manifest_mismatch).
• Reproducible sensor build: bpf2go bindings are committed, so a fresh Linux
  go build ./cmd/agentprov-sensor works without clang; scripts/regen-sensor.sh
  regenerates and drift-checks them.
• Two-writer guard, concurrent-record graph-consistency test, and a
  fixed record crash when the .agentprov data dir lives inside the
  recorded workdir.

CI gates (all green on this commit)

• Go tests (go test ./...)
• Phase 1 observability/provenance smoke
• eBPF sensor builds from committed bindings
• eBPF sensor bindings drift check

Boundary (read before relying on the security claim)

This release provides integrity, not tamper-evidence against a host-root
attacker. graph verify recomputes hashes from the local SQLite store, which a
root user on the host can edit and re-derive. Off-host capture-time anchoring
(KMS/TPM/transparency log), the Deploy 3 central evidence service, and
notification integrations remain explicitly scoped to v2. See
docs/v1-definition-of-done.md.

v0.1.0 - Verifiable Provenance and Evidence for Sandboxed Agents

AgentProvenance v0.1.0 is an early infrastructure release for sandboxed agent execution provenance.

It focuses on correlating application-side agent context with bring-your-own runtime telemetry, then turning execution facts into a queryable, replayable, and auditable evidence graph. Evidence can be content-addressed, hash-verified, and signed for tamper-evidence.

What works

• Zero-SDK command recording with agentprov record -- <command>.
• Application context and runtime telemetry correlation through run/session/attempt/tool_call/process/container/cgroup/pid/time-window identity.
• Timeline, observe, graph explain, graph verify, diff, blame, replay manifest, and evidence manifest commands.
• Falco-compatible telemetry ingest path for BYO system telemetry.
• Unified signals model for security, quality, cost, and behavior evidence.
• Policy/risk/response linkage for metadata/private CIDR/secret-path style findings.
• Forensics bundle export with sha256 and DSSE/in-toto-style signing support.
• Daemon API foundations, including bearer-token auth and signal/query paths.
• Python evaluator helper for external signal/reward/evaluator pipelines.

Boundaries

• This is not a production sandbox runtime, Kubernetes/Ray replacement, generic telemetry collector, LLM trace dashboard, or version-control system.
• System telemetry is BYO in this release. Native eBPF/Falco/Tetragon sensor integration and Linux validation are planned for v0.2+.
• Risk response is evidence/control-plane oriented; deeper runtime enforcement and Feishu/DingTalk adapters are later milestones.

Validation

Release checks passed locally:

go test ./...
python3 -m unittest discover -s python/tests
git diff --check
scripts/accept_unified_signals_attestation.sh