docs(future-arch): observed execution/egress/secrets axes + DN-1 design note

[Yambr]

Summary

Captures a follow-up live-VM observation into docs/future-architecture/, as a companion to research/22. #22 covered storage; this adds the three axes it under-weighted.

• research/23-anthropic-microvm-execution-network-secrets-observed.md — observed facts from a 2026-05-22 VM walk across three axes:
  • Execution — process_api is PID 1 and the child-process/PTY supervisor and the :2024 control-channel server; --block-local-connections keeps workloads off the control port. In-VM memory boundary is weak (/proc/1/mem readable as root) — by acceptance, not accident.
  • Egress — transparent (no MITM, clean CA bundle), DNS unrestricted, filtered on connect not on resolution; layered host L3/L4 + agent policy; SSRF guard returns 403 on metadata/link-local.
  • Secrets — no long-lived key on disk/env/config; arrives over the control channel, handed out scoped + short-lived. Defense is external isolation + scope + ephemerality.
  • Plus the agent-memory gRPC API (event-sourced proto), distinct from the file path.
  • Records 4 proposed locks (P1–P4) pending phase sign-off — deliberately does not edit ADRs/antipatterns.md/architecture/ (unlike fix: CodeQL path-injection alerts + bump vulnerable deps #22's A37).
• design-notes.md — new file, sibling of gaps.md, for candidate solutions not yet locked. First entry DN-1: a substrate-independent egress / identity / secret-broker design (one default-deny+allowlist-on-connect invariant with thin Docker/k8s/VM wrappers; "internet not intranet" SSRF deny-set; Tailscale/Headscale mesh for identity; broker-gateway so the real key never enters the sandbox; RBAC pipeline where LiteLLM is accounting-only, not auth).
• README.md — indexes both new files in the document map.

Test plan

• Docs-only change — no build/test impact
• Verify all intra-tree links resolve (research ↔ architecture ↔ roadmap ↔ antipatterns)
• Owner reconciles the IPv6 discrepancy flagged between fix: CodeQL path-injection alerts + bump vulnerable deps #22 (ipv6.disable=1) and Add detailed comparison: Open Computer Use vs Open Terminal #23 (IPv6 egress observed)
• P1–P4 and DN-1 routed to their owning phase research passes (Phase 4 / 7 / 8)

https://claude.ai/code/session_01XL5dtnrq4agijEMnSWzkGm

---

Generated by Claude Code

Summary by CodeRabbit

• Documentation
  • Added design documentation covering identity and egress management approaches.
  • Added research documentation detailing microVM execution environment observations and process supervision.
  • Updated architecture documentation index and structure.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR extends the future architecture documentation with design governance and observational research. It adds a design-notes.md document establishing rules for candidate solutions, includes DN-1 covering substrate-independent egress and broker-based secret handling, and introduces a research document capturing live microVM guest behavior across execution supervision, egress enforcement, and identity handling.

Changes

Architecture Design and Research Documentation

Layer / File(s)	Summary
Documentation index updates docs/future-architecture/README.md	README now references the new design-notes.md document in the live spec tree and adds 23-anthropic-microvm-execution-network-secrets-observed.md to the research archive listing.
Design notes governance and DN-1 egress/broker design docs/future-architecture/design-notes.md	New governance document defines how design notes are researched and approved. DN-1 specifies a substrate-independent egress invariant (default-deny + allowlist across iptables, Kubernetes NetworkPolicy, nftables), IPv4/IPv6 handling, mesh-based internal connectivity (Tailscale/Headscale), a broker-gateway architecture keeping long-lived provider keys outside the sandbox, and LiteLLM scoped to usage metering rather than authorization. Includes RBAC pipeline separation with policy decisions in IdP/policy engine, roadmap phase mapping, and ADR-0006 license-vetting reminder.
MicroVM execution, egress, and secrets observation research docs/future-architecture/research/23-anthropic-microvm-execution-network-secrets-observed.md	Research document captures live observations from Anthropic microVM guest: Axis 1 describes process_api as PID-1 supervisor with control-channel server, control-port isolation from workload, and weak in-VM memory boundary. Axis 2 documents TLS transparency, unrestricted DNS, connect-time egress enforcement, and IPv6 discrepancy. Axis 3 asserts no on-disk/env model API key, describes control-channel token handoff, and defines agent-memory as event-sourced gRPC API. Includes four proposed locks (P1–P4), six open questions (control-channel multiplexing, egress termination, IPv6 reconciliation, display/input layer, snapshot/restore), roadmap phase mapping, key-principles checklist, and reproducibility shell commands for future snapshot comparison.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Wide-Moat/open-computer-use#124: Expands the future-architecture README with research archive and phase/ADR framing updates in the same documentation area.

Poem

🐰 A blueprint drawn from observation keen,
Where secrets flow through broker machines,
Default-deny guards the egress gate,
DN-1 designs our substrate fate—
Notes researched, then roadmaps align! 🏗️

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately captures the main changes: documenting observed execution/egress/secrets behavior from a live VM and introducing a candidate design note (DN-1).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/sandbox-arch-security-rqNVp

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@docs/future-architecture/research/23-anthropic-microvm-execution-network-secrets-observed.md`:
- Line 27: The line beginning with "`#22` §1 established `process_api` as PID 1…"
is being parsed as a Markdown heading; update that line in the document so the
"`#22`" is not at the start of the line (for example replace with "\`#22`", or wrap
as inline code "`#22`", or rephrase to "No. 22") while preserving the rest of
the sentence and the `process_api` code formatting so it renders as plain text
reference rather than an ATX heading.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 59206cbc-f016-451f-826f-1f865fbb718a

📥 Commits

Reviewing files that changed from the base of the PR and between 34fe690 and 80bb50a.

📒 Files selected for processing (3)

• docs/future-architecture/README.md
• docs/future-architecture/design-notes.md
• docs/future-architecture/research/23-anthropic-microvm-execution-network-secrets-observed.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Escape #22 at line start to avoid unintended heading parsing.

Line 27 begins with #22, which Markdown treats as an ATX heading token in many parsers/lints. Use inline code or escape the hash so it renders as plain text reference.

Suggested fix

-#22 §1 established `process_api` as PID 1 (custom Go binary, `rdinit=`). This walk shows it is also the **execution supervisor** — the everything-process for running code inside the VM:
+`#22` §1 established `process_api` as PID 1 (custom Go binary, `rdinit=`). This walk shows it is also the **execution supervisor** — the everything-process for running code inside the VM:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#22 §1 established `process_api` as PID 1 (custom Go binary, `rdinit=`). This walk shows it is also the **execution supervisor** — the everything-process for running code inside the VM:
	`#22` §1 established `process_api` as PID 1 (custom Go binary, `rdinit=`). This walk shows it is also the **execution supervisor** — the everything-process for running code inside the VM:

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 27-27: No space after hash on atx style heading

(MD018, no-missing-space-atx)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@docs/future-architecture/research/23-anthropic-microvm-execution-network-secrets-observed.md`
at line 27, The line beginning with "`#22` §1 established `process_api` as PID 1…"
is being parsed as a Markdown heading; update that line in the document so the
"`#22`" is not at the start of the line (for example replace with "\`#22`", or wrap
as inline code "`#22`", or rephrase to "No. 22") while preserving the rest of
the sentence and the `process_api` code formatting so it renders as plain text
reference rather than an ATX heading.