--- vault_clearance: KETER halo: classification: KETER confidence: HIGH front: "17_Project_CerberusLantern" created: 2026-03-26 updated: 2026-03-28 wing: NOT_READY --- # Project CerberusLantern > Three heads. One gate. Nothing enters or leaves without being seen. ## Two layers - **Cerberus** — the unified **in-house security suite** (Meridian, Shadow, Colossus, `cerberus.py`, EYE-Lantern 2, hardening, synthetic regression). **Operational posture** for the whole lab’s automated tests is **Warp Storm**, canonically under [MidnightEclipse/WARP_STORM.md](../08_Project_Astronomicon/u_os_dev/MidnightEclipse/WARP_STORM.md) — not this README. Cerberus is where you **tear binaries apart in a VM** and prove host/artifact gates. - **FORM Totem — Abyssal Beast** — the **evaluation crucible**: control vs test on Lantern VMs, diff and gate oracles, cultivator growth when something slips. - **Throne / MCP (collaborators)** — exterior agents get **read-class** Cerberus protocol and mirrors via [THRONE_ONBOARDING.md](../08_Project_Astronomicon/u_os_dev/THRONE_ONBOARDING.md), [Astronomicon MCP](../08_Project_Astronomicon/u_os_dev/astronomicon_mcp/README.md), and [HALO_PROTOCOL.md](../HALO_PROTOCOL.md). They do **not** get silent remote execution of `three-head` on your sovereign host; scans run **operator-side** on Lantern or a trusted clone. Full framing: [CERBERUS_SUITE_AND_TOTEM.md](CERBERUS_SUITE_AND_TOTEM.md). ## Head 1 — MERIDIAN (Inbound) Foreign software runs in VM before touching bare metal. **Tools:** | Tool | Role | What It Does | |------|------|-------------| | **Chimera** (`chimera_validator.py`) | Static inspector | 11 "insects" — PE header, imports, exports, strings, URLs/IPs, embedded files, entropy, certificates, resources, suspicious patterns | | **Hunter** (`cerberus_hunter.py`) | Instruction predator | Disassembles every instruction via Capstone. 16 virus signatures (injection, persistence, anti-analysis, ransomware, data theft). API threat map (30+ APIs). 5-phase analysis. | | **GCE Runner** | Cloud quarantine | Spin up disposable GCE VM, upload Chimera, download specimens INSIDE VM, analyze, return JSON, destroy VM | ## Head 2 — SHADOW OF SIGHT (Outbound) Tripwires on KETER files. Network monitoring. DNS logging. **Tool:** `shadow_sentinel.py` | Capability | Detail | |-----------|--------| | **Domain classification** | 100+ known-good, 20+ tracking, Chinese infra, unknown | | **DGA detection** | Entropy-based domain generation algorithm identification | | **DNS exfil detection** | Base64/hex subdomain encoding, long subdomain channels | | **Beacon/C2 detection** | 13 C2 URL patterns, suspicious port detection | | **Network API detection** | 19 network APIs tracked (WinHTTP, WinInet, Winsock, DNS) | ## Head 3 — CORPSE OF THE COLOSSUS (System) **Host compromise detection** — baseline the machine and diff against "known good." **Behavioral anomaly detection** — drift from baseline. **Driver audits** — ring0 is above userland AV. **Steganographic containment** — polyglot files, covert carriers, LSB stego. **Tools:** | Tool | Role | |------|------| | **EYE-Lantern** (`eye_lantern.py`) | System baseline (9 collectors): processes, services, connections, scheduled tasks, autoruns, listeners, certificates, hosts file, DNS cache | | **Colossus** (`colossus_auditor.py`) | Driver audit (unsigned/suspicious), process ancestry (orphan/injection detection), steganographic analysis (polyglot, trailing data, LSB chi-squared), directory scanner | ## Unified Daemon **`cerberus.py`** — coordinates all three heads: ``` cerberus.py scan # Full THREE-HEAD analysis cerberus.py baseline # Take system baseline cerberus.py diff # Compare against baseline cerberus.py watch # Monitor program's system impact cerberus.py promote # Full promotion gate evaluation cerberus.py report # Generate security report ``` **Promotion Gate:** Binary must pass ALL three heads to move from VM to bare metal. Decisions: `PROMOTE` | `REVIEW` | `QUARANTINE`. ## Engine Directory ``` engine/ cerberus.py # Unified daemon + PromotionGate chimera_validator.py # Head 1: Static binary inspector cerberus_hunter.py # Head 1: Instruction-level predator shadow_sentinel.py # Head 2: Network sentinel colossus_auditor.py # Head 3: System integrity + stego eye_lantern.py # Head 3: System baseline profiler ``` ## Corpse of the Colossus (Head 3 spec) Long-form map: [CORPSE_OF_THE_COLOSSUS.md](CORPSE_OF_THE_COLOSSUS.md) — driver baseline diff (O5), vendor registry JSON (O6), Shadow seal break → Colossus (O7), tripwire webhook env (O1). ## EYE-Lantern 2 SDK (Lantern 2 VM) VM-first orchestration: wraps **EYE-Lantern** (baseline/diff), **Chimera** (autopsy), and **Shadow Sentinel** (static network) with a single CLI, regression harness, and optional offline corpus hooks. **Canonical record:** [EYE_LANTERN_2.md](EYE_LANTERN_2.md). **Package:** [eye_lantern_2_sdk/](eye_lantern_2_sdk/). **Bootstrap (new VM):** [scripts/bootstrap_lantern2_vm.ps1](scripts/bootstrap_lantern2_vm.ps1). From vault root: `python scripts/eye_lantern_2.py self-check` (avoids `cd` into paths with brackets). ## FORM Antimalware Suite (synthetic regression) **FORM**-aligned white-hat harness over Meridian/Shadow/Corpse axes: `python suite/form_antimalware_suite.py` or `python engine/cerberus.py form-suite`. **Record:** [FORM_ANTIMALWARE_SUITE.md](FORM_ANTIMALWARE_SUITE.md). Ties to [FORM.md](FORM.md). ## Detection Capabilities vs Orthodox | Axis | Windows Defender / EDR | CerberusLantern | |------|----------------------|-----------------| | **Static** | Signature DB | Instruction-level disassembly + 16 behavioral signatures | | **Network** | Reputation lists | DGA entropy detection, DNS exfil analysis, beacon pattern matching | | **System** | Real-time shield | 9-collector baseline + diff + driver audit + process ancestry | | **Stego** | Nothing | Polyglot detection, trailing data, LSB chi-squared | | **Decision** | Green/red icon | Three-head PromotionGate with evidence chain | | **Quarantine** | File quarantine | Cloud VM quarantine (GCE) — binary never touches host | ## Status - [x] Chimera — static binary inspector (11 insects) - [x] Cerberus Hunter — instruction-level predator (16 signatures, 48K+ instructions tested) - [x] Shadow of Sight — network sentinel (DGA, DNS exfil, beacon, domain classification) - [x] Corpse of the Colossus — driver audit, process ancestry, steganographic containment - [x] EYE-Lantern — system baseline profiler (9 collectors, fingerprinting) - [x] EYE-Lantern 2 SDK — VM orchestration + `verify` + [EYE_LANTERN_2.md](EYE_LANTERN_2.md) - [x] Unified daemon (`cerberus.py`) with PromotionGate - [x] GCE cloud quarantine runner (tested with WeChat.exe) - [x] KETER file tripwire — `engine/keter_tripwire.py` + optional webhook (`KETER_TRIPWIRE_WEBHOOK_URL`); email/Technomancer fan-out not yet wired - [x] International software risk registry — `engine/vendor_registry.json` (populate hashes for production) - [ ] Windows Sandbox `.wsb` config for lightweight quarantine ## Operator runbook Phased checklist aligned with vault root security docs: Lantern 2 bootstrap, `scripts/eye_lantern_2.py` / `eye_lantern_2_sdk`, unified `engine/cerberus.py`, evidence in vault [`WORLDLINE.md`](../WORLDLINE.md), optional Warp Storm — **[RUNBOOK_LANTERN_POSTURE.md](RUNBOOK_LANTERN_POSTURE.md)**. ## Related - [15_Project_ShadowsOfSight](../15_Project_ShadowsOfSight/README.md) — Integrity suite: Bioship living binaries + Shadow Seal HMAC integrity - [BIOSHIP.md](../15_Project_ShadowsOfSight/BIOSHIP.md) — Living binary architecture (12/12 NP-Cultivator) - [bioship_vault.py](../15_Project_ShadowsOfSight/tools/bioship_vault.py) — Apollyon key delivery pipeline - [heartbeat_daemon.py](../15_Project_ShadowsOfSight/tools/heartbeat_daemon.py) — Fleet heartbeat + Tailscale mesh - [LOCKDOWN.md](../15_Project_ShadowsOfSight/LOCKDOWN.md) — Hardening plan - [HALO_PROTOCOL.md](../HALO_PROTOCOL.md) — Classification + Integrity Protocols (Bioship + Shadow Seal) - [HALO_SOVEREIGN.md](../11_Project_WordsOfTomorrow/HALO_SOVEREIGN.md) — Post-quantum encryption protocol