--- vault_clearance: EUCLID halo: classification: INTERNAL confidence: HIGH front: "23_Project_StormIntoMidnight" custodian: "The Architect" created: 2026-04-19 updated: 2026-04-28 wing: CONDITIONAL containment: "FORM — composite assurance vs silo security; external frameworks mapped honestly" --- # FORM — StormIntoMidnight (Functional Orthodox Reality Model) **Axis:** methodology (how we *measure* defense), not TRUTH epistemology — see [TRUTH_PROTOCOL.md](../TRUTH_PROTOCOL.md). **Vault FORM rules:** [FORM_PROTOCOL.md](../FORM_PROTOCOL.md). **Citations / links:** [BOOK.md](BOOK.md). **Triad:** [README.md](README.md) · [BOUNTY_BOARD.md](BOUNTY_BOARD.md) · [WORLDLINE.md](WORLDLINE.md). **Runs:** [README.md — Run the suite](README.md#run-the-suite) · [TESTING.md](TESTING.md) · [`storm_into_midnight.py`](storm_into_midnight.py) · machine phase map [`suite/infrastructure_suite.json`](suite/infrastructure_suite.json) · [suite/README.md](suite/README.md). **Orthodox benchmark (the thing to beat):** [FORM_ORTHODOX_APEX_ASSURANCE.md](FORM_ORTHODOX_APEX_ASSURANCE.md) — frozen steelman opponent (silo programs + rubric). Storm + CI compete against it on composition, cadence, and evidence — not on owning every silo tool. **Honesty bar:** External frameworks (SSDF, ASVS, SPVS, SLSA) are **vocabulary**, not certification. Evidence is always the JSON run + paths in WORLDLINE. --- ## Figure 1 — Orthodox silo stack vs composite conductor (FORM axis) ```mermaid flowchart TB subgraph orthodox [OrthodoxPosture] T1[ToolA_Green] T2[ToolB_Green] T3[ToolC_Green] R1[SeparateReports] C1[CompositeClaimBySlogan] T1 --> R1 T2 --> R1 T3 --> R1 R1 --> C1 end subgraph ours [StormPosture] P[Preflight] X[ExportOrEdgeOrVault] J[SingleJSON] B[BlindSpotsEnumerated] P --> X X --> J J --> B end orthodox -.gaps.-> ours ``` **Read:** silo green does not compose to system green until **one run** binds lanes, names skips, and lists blind spots. --- ## Figure 2 — Default gauntlet as a staged pipeline (what “automatic” means) ```mermaid flowchart LR PF[Preflight] --> EX[ExportPublicLab] EX --> VA[VaultMirrorDaemon] VA --> LI[LocalInfra_OrganaGit] ED[EdgeGrandmaster] --> LI ``` **Read:** host (Warp / Cerberus stack) is **out** of the default gauntlet on purpose (laptop-shaped). **Edge** runs vs the Astronomicon Worker (CLI/env chain, else public `https://u-os.dev` unless `STORM_GAUNTLET_NO_DEFAULT_EDGE`). Full composite and state-actor gate re-enable host explicitly — see README / TESTING. --- ## A. The two paradigms (max-orthodox vs ours) ### A.1 Orthodox — strongest honest version (industry “best practice” silos) **Full steelman catalog and rubric:** [FORM_ORTHODOX_APEX_ASSURANCE.md](FORM_ORTHODOX_APEX_ASSURANCE.md) (programs P1–P15, dimensions, trace table). The table below is a **summary**; edits to the benchmark belong in the apex file first, then mirror here if needed. Steelmanned, not strawmanned: the orthodox posture is **mature tooling + regulated process**, not laziness. | Dimension | Orthodox (strong form) | |-----------|-------------------------| | **Philosophy** | Defense in depth implemented as **separate programs of work**: appsec, infra, SOC, GRC, vendor pentest, bug bounty, IAM, etc. | | **Parameters** | Many — scanners, baselines, SLAs, risk registers, control frameworks (800-53 families), audit schedules. | | **Verification** | **NIST SSDF** ([SP 800-218](https://doi.org/10.6028/NIST.SP.800-218), [CSRC SSDF](https://csrc.nist.gov/Projects/SSDF)) groups: **Prepare / Protect / Produce / Respond** — mapped to SDLC gates. | | **Application assurance** | **OWASP ASVS** ([project](https://owasp.org/www-project-application-security-verification-standard/), [using ASVS](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)) — **requirements as tests**; discourages “black box only” as primary assurance; pushes hybrid and continuous verification. | | **Pipeline assurance** | **OWASP SPVS** ([SPVS project](https://owasp.org/www-project-spvs/), [how to use](https://github.com/OWASP/www-project-spvs/blob/main/1.0/OWASP_SPVS_1.0_How_To_Use_SPVS.md)) — Plan / Develop / Integrate / Release / Operate with maturity levels. | | **Artifact integrity** | **SLSA** ([slsa.dev](https://slsa.dev/), [verifying artifacts](https://slsa.dev/spec/v1.1/verifying-artifacts)) — provenance exists **and** someone verifies it; builder identity, digest, signature, expectations. | | **Evidence** | Tickets, PDFs, dashboards, annual pentest reports, compliance attestations. | | **Win** | Auditable **artifacts** and **role clarity**. | | **Lose** | **Composition illusion** — every lane green on paper while the **system** story is false because skips, stale mirrors, or blind spots never appear in one transcript. | ### A.2 Ours — StormIntoMidnight composite + default gauntlet | Dimension | StormIntoMidnight | |-----------|-------------------| | **Philosophy** | **System first**: one conductor binds edge / host / vault / infra lanes; default **no-args** run is a **gauntlet** (preflight → export → vault → local infra). | | **Parameters** | Few at the operator edge: **no args**, `--lab-smokes`, `--state-actor-gate`, explicit `--skip-*`, `--wake-profile`, `--local-infra`, `--organa-scope`; Worker URL via `--base-url` / env / gauntlet default (see README). | | **Verification** | **JSON phases** + checks[] rows; blind_spots[]; optional claim gate object — evidence is the run blob, not a slide deck. | | **Application assurance** | ASVS-aligned *spirit*: continuous, hybrid-friendly, tool-assisted — implemented as **MidnightEclipse** probes + **wake profile** + **Organa** policy lint (not full ASVS control catalog). | | **Pipeline assurance** | SPVS-aligned *spirit*: **git_health_track** + CI elsewhere (`infrastructure_suite.json` points at `.github/workflows/...`) — Storm is not the whole pipeline. | | **Artifact integrity** | SLSA-aligned *spirit*: **mirror hash parity** (`public_lab` vs vault roots) + export step — **not** full provenance attestations unless you add them elsewhere. | | **Evidence** | README + WORLDLINE + committed JSON paths; HALO discipline on claims. | | **Win** | One honest story: **PASS/FAIL** with named skips. | | **Lose** | Operator confuses **gauntlet** (laptop default) with **state-actor gate** (full lanes) — mitigated by README labeling. | --- ## B. Head-to-head axes (expanded) | # | Axis | Orthodox / industry | StormIntoMidnight | |---|------|----------------------|-------------------| | 1 | **Composition** | Programs of work sequenced by calendar | **Single conductor transcript** per run | | 2 | **Default friction** | “Run the checklist” (many URLs) | **`python storm_into_midnight.py`** from vault root | | 3 | **Evidence shape** | Mixed media | **JSON + check ids** | | 4 | **Skips** | Often implicit | **Explicit** (`SKIP` + reasons; blind_spots when policy triggers) | | 5 | **Host stack** | Cerberus/Warp as its own hero | **Off in gauntlet**; **on** in full composite / gate | | 6 | **Edge** | DAST / prod monitors | **MidnightEclipse grandmaster** + optional **wake-profile** | | 7 | **Vault truth** | Drift unnoticed | **Daemon heartbeat + `public_lab` hash parity + `_VAULT_STATE` ring** | | 8 | **Policy / docs** | Manual review | **Organa `vault-lint`** (scope: git / staged / full) | | 9 | **Repo stress** | Ad hoc “git feels bad” | **`git_health_track.py`** JSON lane | | 10 | **Regression** | Quarterly | **Preflight unittest + py_compile** every gauntlet | | 11 | **Threat depth** | Pentest / red team budgets | **White-hat composite** — see [RED_TEAM_PROTOCOL.md](../08_Project_Astronomicon/u_os_dev/RED_TEAM_PROTOCOL.md) for what Storm does **not** replace | | 12 | **Supply chain truth** | SBOM + SLSA programs | **Partial**: export + mirror checks approximate **integrity of published lab slice**, not full SBOM | | 13 | **Claim governance** | GRC wording | **`--state-actor-gate`** — explicit FAIL if lanes/skips violate policy | | 14 | **Automation** | CI matrix | **Default local gauntlet** + **CI parallel** tracked in `infrastructure_suite.json` | | 15 | **Learning loop** | Postmortem docs | **WORLDLINE** breakthrough format + bounty rows | --- ## C. Murder board — where orthodox posture still fails (even when “mature”) | # | Failure mode | Mechanism | Storm counter (partial / full) | |---|--------------|------------|--------------------------------| | 1 | **Green silos, red system** | Independent dashboards never join | Single JSON; blind_spots | | 2 | **Stale public slice** | Export not run; mirror drift | Gauntlet runs **export** before vault mirror checks | | 3 | **Silent skip** | “We don’t have URL so we ignored edge” | Edge `SKIP` with **reason**; gate fails if policy disallows | | 4 | **Host theater** | “We have Cerberus” but never composed | Full composite / gate turns host **on** | | 5 | **Black-box-only assurance** | ASVS warns L1 black-box is weak | Hybrid: repo-open checks + edge harness + vault parity | | 6 | **Pipeline blind spot** | Secrets in CI, no local git stress | `git_health_track` in local_infra lane | | 7 | **Docs/policy drift** | Markdown rots | Organa vault-lint scopes | | 8 | **Regression amnesia** | “It worked last month” | Preflight tests + compile | | 9 | **Wake / bot semantics** | Edge looks fine to curl | `--wake-profile` family probes | | 10 | **Provenance theater** | SBOM generated, never verified | Mirror **verification** (hashes), not just generation | | 11 | **Attestation gap** | Builds unsigned / unverified | SLSA lesson: **verify** expectations — vault uses **digest equality**, not Sigstore | | 12 | **Operational denial** | “Safe” language without gate | `--state-actor-gate` policy text in README | | 13 | **AI supply chain** | SSDF community profile for GenAI dual-use | **Out of scope** for Storm unless you add explicit profile hooks | | 14 | **Nation-state cosplay** | Marketing | README: gate is **floor**, not proof | | 15 | **One-shot pentest faith** | ASVS: time-bounded testers vs infinite attacker | Storm is **continuous smoke**, not pentest replacement | | 16 | **Tool green = risk gone** | Scanner false negatives | MidnightEclipse + wake + manual tier C | | 17 | **Unlogged composition** | Slack “we ran it” | WORLDLINE + JSON artifact discipline | | 18 | **Config loss on lint** | Automation wipes JSON | Organa merge-safe `patterns.json` (vault reflex; see `26_Project_Organa`) | --- ## D. What we take honestly from orthodox (imports) ### D.1 NIST SSDF (organizational vocabulary) SSDF groups: **Prepare, Protect, Produce, Respond** ([NIST SP 800-218](https://doi.org/10.6028/NIST.SP.800-218)). Mapped to *this vault’s* surfaces **without** pretending full SSDF coverage: | SSDF group | Example tasks (informative) | Vault / Storm mapping | |------------|------------------------------|------------------------| | **Prepare** | Define security checks; secure dev environments | README runbook; `.pre-commit-config.yaml` Organa staged hook; gauntlet defines “what counts as green” | | **Protect** | Least privilege on code; integrity info for releases | Git + branch protections (outside Storm); mirror hash checks approximate release-slice integrity | | **Produce** | Code review; analyze code; test executables | Organa lint; preflight tests; MidnightEclipse / wake | | **Respond** | Identify vulns; fix; hunt siblings | BOUNTY_BOARD + WORLDLINE; not automated CVE ingestion in Storm | ### D.2 OWASP ASVS (verification philosophy) ASVS stresses **verification as product**, hybrid testing, and **continuous** tooling where possible ([Using ASVS](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md)). We adopt: - **Named requirements → checks** pattern (`checks[]` with ids). - **Skepticism of “black box only”** as the spine of assurance. - **Automation where cheap** (lint, unittest, compile, git health), **explicit human lanes** for what automation cannot own (threat modeling, tier-C red work). ### D.3 OWASP SPVS (pipeline stages) SPVS stages Plan → Develop → Integrate → Release → Operate ([SPVS](https://owasp.org/www-project-spvs/)). Storm covers **fragments**: - **Integrate/Release-ish**: export + mirror parity (artifact promotion to `public_lab`). - **Develop-ish**: Organa on repo text; git health. - **Operate-ish**: edge/wake against live Worker (optional). CI workflows referenced from `infrastructure_suite.json` carry more of **Integrate** than Storm alone. ### D.4 SLSA / provenance lessons SLSA emphasizes **verification** of provenance and builder identity ([Verifying artifacts](https://slsa.dev/spec/v1.1/verifying-artifacts)). Our partial analogue: | SLSA idea | Storm / vault analogue | Gap | |-----------|------------------------|-----| | Digest match | `_sha256_short` comparisons on mirrored files | Not full OCI/Sigstore | | Builder identity | Worker `whoami` / keyed lanes (MidnightEclipse) when configured | Not OIDC federation proof | | Expectations | `require_mirror` / gate policy | Manual policy, not policy-as-code engine | --- ## E. Proof experiments (concrete, bounty-grade) | ID | Experiment | Pass criterion | Primary artifact | |----|------------|----------------|------------------| | E1 | Default gauntlet on clean tree | `outcome: PASS` | `storm_into_midnight.py` JSON | | E2 | Deliberately stale `public_lab` | vault phase FAIL until export PASS | WORLDLINE narrative | | E3 | `--state-actor-gate` with `--skip-host` | gate FAIL (host skipped = blind spot) | JSON `claim_gates` | | E4 | Wake profile on live Worker | wake summary shows variance / profiles measured | JSON `phases.wake` | | E5 | Organa scope triad | `git` vs `staged` vs `full` documented with runtime cost notes | TESTING + run logs | | E6 | MidnightEclipse `--grandmaster` alone | baseline edge JSON PASS | `midnight_eclipse.py` | | E7 | `git_health_track` forced interesting repo | JSON `ok` reflects known signals | `scripts/git_health_track.py` | | E8 | Mirror mismatch injection | SIM-PUBLIC-LAB-* FAIL rows | unittest harness or manual | | E9 | Tier C controlled exercise | findings cross-linked, not conflated with Storm PASS | RED_TEAM_PROTOCOL | | E10 | BOOK DOI pins for SM-B1 / standards | BOOK §1 rows cite versioned anchors | BOOK.md | --- ## F. Global cultivator survey (external references — pin in BOOK) | Lane | Reference | URL | |------|-----------|-----| | SSDF | NIST SP 800-218 | https://doi.org/10.6028/NIST.SP.800-218 | | SSDF hub | CSRC SSDF | https://csrc.nist.gov/Projects/SSDF | | ASVS | OWASP ASVS project | https://owasp.org/www-project-application-security-verification-standard/ | | ASVS usage | Using ASVS (GitHub) | https://github.com/OWASP/ASVS/blob/master/4.0/en/0x03-Using-ASVS.md | | Pipeline | OWASP SPVS | https://owasp.org/www-project-spvs/ | | SPVS guide | How to use SPVS | https://github.com/OWASP/www-project-spvs/blob/main/1.0/OWASP_SPVS_1.0_How_To_Use_SPVS.md | | Supply chain | SLSA | https://slsa.dev/ | | Verification | SLSA verifying artifacts | https://slsa.dev/spec/v1.1/verifying-artifacts | | Edge code | Worker README (vault) | [08 worker README](../08_Project_Astronomicon/u_os_dev/worker/README.md) | --- ## G. Adoption priority | Horizon | Action | |---------|--------| | **NOW** | Treat **no-args gauntlet** as the default honesty ritual; log non-trivial FAILs in WORLDLINE with JSON path. | | **NOW** | Keep **`infrastructure_suite.json`** accurate when phases/flags change (`--print-suite-manifest`). | | **NEXT** | Optional: emit `benchmark_apex_form` path in Storm JSON summary (manifest already lists it for `--print-suite-manifest`). | | **NEXT** | BOOK §1: pin **versioned** ASVS / SSDF citations (DOI + retrieval date). | | **NEXT** | Map **one** OWASP CI/CD Top 10 risk to a concrete Storm/CI check (explicit owner). | | **LATER** | Optional **SLSA-style** attestation for `public_lab` exports (only if edge consumers need it). | | **LATER** | SPVS Level-2-style **policy-as-code** gate in CI (separate from Storm local default). | --- ## H. Assessment (FORM closure) StormIntoMidnight is the vault’s **methodology for not lying about composition**: it forces **edge, host, vault, and infra evidence** to appear in **one JSON transcript**, names **skips**, and separates **laptop gauntlet** from **state-actor claim gate**. External frameworks (SSDF, ASVS, SPVS, SLSA) are **north stars** for vocabulary and coverage — the **FORM figure** is the comparison; the **run JSON** is the measurement. If the measurement is not logged, the methodology does not exist — only theater does. Keep BOOK citations versioned and WORLDLINE breakthroughs tied to **paths + commands**, not vibes. --- ## Appendix I — Lane → script → external idea (dense map) | Lane | Entry | Primary scripts / surfaces | External idea touched | |------|--------|---------------------------|------------------------| | Preflight | default gauntlet | `suite/tests/test_storm_into_midnight.py`, `py_compile` Organa | SSDF **PW** test/analysis; ASVS “continuous tooling” | | refresh_public_lab | default gauntlet | `08_.../export_script.py` | SPVS **Integrate/Release**; SLSA “artifact promotion” (weak analogue) | | edge | optional | `MidnightEclipse/midnight_eclipse.py --grandmaster` | ASVS Ch.V* verification classes (representative, not exhaustive) | | wake | `--wake-profile` | HTTP `/` + `/mirror` | ASVS **hybrid** / observer-class behavior | | vault | default | daemon json, `_VAULT_STATE.md`, `public_lab` hashes | SSDF **Protect/Produce** integrity checks (subset) | | host | not gauntlet default | `warp_storm_full_stack.py` | SPVS **Operate**/stack; Cerberus doctrine | | local_infra | gauntlet | `vault-lint.py`, `git_health_track.py` | SSDF **PW/PO**; SPVS **Develop/Integrate** | --- ## Appendix J — Flag cheat sheet (single table; README remains normative) | Flag / mode | Effect | |---------------|--------| | *(no args)* | `--gauntlet --json` injected | | `--lab-smokes` | Preflight only; exits early | | `--gauntlet` | Same as default when combined with implicit JSON from no-args path | | `--skip-edge` / base URL missing | Edge `SKIP` with reason | | `--skip-host` | Host `SKIP` (gate fails if gate requested) | | `--skip-vault` | Vault `SKIP` | | `--refresh-public-lab` | Export before vault (also on gauntlet) | | `--mirror-required` | Stricter vault mirror | | `--local-infra` | Organa + git health (also on gauntlet) | | `--organa-scope` | `git` / `staged` / `full` | | `--state-actor-gate` | Policy object; fails on blind spots | | `--wake-profile` | Wake harness phase | | `--print-suite-manifest` | Prints `infrastructure_suite.json` | --- *FORM generates figures: Fig. 1–2 above. When this file changes, `scripts/form_gate.py` refreshes [`FORM_REGISTRY.json`](../FORM_REGISTRY.json) on the next Organa pass.*