EOSE-OPA V13 · SET + SET-OPS · Released Day 97
EOSE-OPA: NOT A POLICY ENGINE.
A PROOF ENGINE.
PROOF-CARRYING ADMISSION · MONOTONE EXPANSION · EVOLVES EVERY DEPLOY · γ₁ ANCHORED
γ₁ = 14.134725141734693 · V13 = first version with formal SET-OPS proof · Every redeploy = SET version N+1
THE FUNDAMENTAL CLAIM
OPA/Rego = policy. Policy can be bypassed (misconfigured, disabled, exception-granted).
EOSE-OPA = proof. A proof cannot be bypassed. Either the proof holds or the container is denied. No exceptions. No workarounds.
Proof structure: every ALLOW carries container ∈ SOVEREIGN_FLEET with full gate trace G1..G6. Every DENY carries container ∉ SOVEREIGN_FLEET with failure point.
γ₁ replay protection: every proof timestamped τ = 14.134725141734693. Replayed admission = γ₁ serial mismatch → auto-DENY.
OPA vs EOSE-OPA — THE DIFFERENCE
OPA / REGO — POLICY ENGINE
Decisions = ALLOW or DENY
Can be bypassed via namespace exception
Policy is config — can be misconfigured
No monotone expansion guarantee
Redeploy = config change (may regress)
No formal SET membership
Community: policy templates (static)
EOSE-OPA — PROOF ENGINE
Decisions = proof ∈ SOVEREIGN_FLEET or proof ∉ SOVEREIGN_FLEET
Cannot be bypassed — proof must hold
Each gate = SET membership test
SOVEREIGN_FLEET_N+1 ⊇ SOVEREIGN_FLEET_N
Redeploy = new proof step (never regresses)
Formal: SOVEREIGN_FLEET = G1∩G2∩G3∩G4∩G5∩G6
Community: diamond gate candidates (evolving)
MONOTONE EXPANSION — EVERY DEPLOY IS A PROOF STEP
V13 · D97
BASE SET: SOVEREIGN_FLEET = FLEET_SIGNED ∩ SECURE_BOOT ∩ OSS_KERNEL ∩ GATE_PASSED(G1..G6). Gates deployed. Constraints pending.
V14 · NEXT
ADD: Gatekeeper constraint templates for KCF EA-64 (GID label required) + EA-67 (resource limits required). SOVEREIGN_FLEET_V14 ⊃ SOVEREIGN_FLEET_V13. Tighter = more proven.
V15 · PLANNED
ADD: Kyverno image verify (cosign required). NetworkPolicy enforcement via Gatekeeper. Chaos proof passing G1-G6 under γ₁×6 load.
V∞ · GOAL
TARGET: SOVEREIGN_FLEET_V∞ = every container in EOSE fleet is provably secure. Community diamonds contribute new gate candidates. OSS release = community evolves the SET.
6 GATES AS SET OPERATIONS
G1 · TRIVY
x ∈ SAFE_IMAGE iff
CVE_SCORE(x) < threshold ∧ SBOM(x) = present
Image is member of SAFE_IMAGE set. Trivy tests membership.
G2 · GATEKEEPER
x ∈ VALID_SPEC iff
KCF_EA64(x) ∧ KCF_EA67(x) ∧ ... ∧ KCF_EA73(x)
Pod spec is member of VALID_SPEC. KCF EA-64..73 define the set.
G3 · FALCO
x ∈ SAFE_RUNTIME iff
¬ANOMALY_SYSCALL(x, t) for all t
Runtime behaviour is member of SAFE_RUNTIME. Falco continuously tests.
G4 · KYVERNO
x ∈ VERIFIED_IMAGE iff
COSIGN_VALID(x) ∧ LABEL_SCHEMA(x)
Image is member of VERIFIED_IMAGE. Kyverno tests signature + labels.
G5 · MEROSTONE
x ∈ KCF_COMPLIANT iff
LOCO_SCORE(x, KCF_82) ≥ floor
Container is KCF_COMPLIANT. 82 controls define the set boundary.
G6 · MECIPOL
x ∈ SOVEREIGN_FLOOR iff
D1(x) ∧ D2(x) ∧ ... ∧ D10(x)
Container is on SOVEREIGN_FLOOR. D1-D10 define the QE floor.
COMMUNITY — OSS GATE CANDIDATES