v0.3.0 — MCP server, web dashboard, expanded eBPF sensor

Builds on v0.2.0 (native eBPF sensor + hardened provenance gates).

Highlights

AI surface

• Stdio MCP server (agentprov ai mcp, JSON-RPC 2.0) over the same internal/aitools catalog as the provider adapters — one contract, no drift.
• Context-write tools (bind_scope, record_tool_call): an agent can assert its own app-side context, app-asserted only — never fabricating system events or signatures.

Web dashboard (agentprov dashboard serve)

• Local, read-only, single-page view over the verifiable graph: the causality DAG (model intent → action → policy → risk → response) as the signature panel, plus verify/signature status, signals/risk, paged timeline, process tree, and egress (with resolved DNS). Embedded UI, no external assets.

Expanded native eBPF sensor (validated live on an arm64 lab VM)

• Sensitive file reads → secret_path (reading a credential file is no longer invisible).
• Privilege escalation: setuid / setgid / ptrace; file tamper: rename / unlink.
• DNS via getaddrinfo uprobe; TLS plaintext → privacy-safe HTTP metadata + llm_call pairing; process_exit closes correlation windows.
• In-kernel noise filtering before ring-buffer reserve, fixing a containerd-teardown firehose that dropped real events.

Policy — privilege-escalation rules: ptrace and setuid/setgid-to-root → quarantine (without flagging the runtime's benign privilege drop).

Docs — refreshed README + architecture SVGs.

Known gaps / follow-ups (honest)

• DNS: getaddrinfo (glibc) is validated; the universal UDP / musl path is partial.
• ptrace probe loads but was not triggered in test.
• Sensor is arm64 only; IPv6/UDP, HTTP/2 HPACK decode, and multi-arch (x86) are follow-ups.