fix: remove ScopeBlind content identified as credential laundering

[imran-siddique]

Summary

Remove all ScopeBlind/tomjwxf content after contributor governance tools flagged the account as HIGH risk for credential laundering.

Evidence

AGT's own governance scripts identified:

• contributor_check.py: HIGH risk (2219 following / 95 followers farming ratio, 58 repos in 90 days, 67 repos sprayed in 7 days)
• credential_audit.py: HIGH risk, exit code 2 (26 repos sprayed with credential citations within 0-16 days of 8 merged PRs)
• All spray issues cite AGT PR feat: ScopeBlind protect-mcp integration — Cedar policy enforcement + verifiable receipts #667 as credential proof

Removed Content (33 files, 5,544 lines)

• scopeblind-protect-mcp integration package (adapter, tests, config)
• sb-runtime-skill integration package (skill, receipts, CLI, tests)
• 3 example directories (protect-mcp-governed, sb-runtime-governed, physical-attestation-governed)
• protect_mcp_governed.py quickstart
• Tutorial 33 (offline verifiable receipts)
• sb-runtime.md integration docs
• References in CHANGELOG, tutorials/README, docs/index, INDEPENDENCE, policy-validation workflow

Tracking Issues

Separate issues will be filed for genuinely valuable concepts to be reimplemented:

• Offline verifiable decision receipts (Ed25519 + JCS)
• Physical/IoT attestation governance
• MCP tool-call receipt signing

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This pull request removes all content related to the ScopeBlind and sb-runtime integration packages due to concerns about credential laundering flagged by AGT's governance tools. The PR deletes 33 files and removes references to the affected content across the repository. While the removal is justified given the high-risk assessment, the changes introduce potential breaking changes and require careful review to ensure no residual dependencies or references remain.

---

🔴 CRITICAL

1. Residual References to Removed Content:

   • Ensure that all references to the removed ScopeBlind and sb-runtime content are eliminated. Any lingering references could lead to runtime errors or security vulnerabilities.
   • Action: Perform a repository-wide search for terms like ScopeBlind, sb-runtime, Veritas Acta, and protect-mcp to confirm no residual references exist.

2. Potential Credential Exposure:

   • The PR does not explicitly confirm whether any credentials or sensitive data were exposed in the removed files. The sb_runtime_agentmesh/receipts.py file contains cryptographic operations and key management logic, which could potentially have been exploited.
   • Action: Conduct a forensic review of the removed files to ensure no sensitive data or exploitable logic remains in the repository history. If necessary, consider rewriting the Git history to remove sensitive information.

3. Cryptographic Operations:

   • The removed sb_runtime_agentmesh/receipts.py file contains cryptographic operations, including Ed25519 signing and receipt verification. If these operations were compromised or implemented insecurely, it could have led to security bypasses.
   • Action: Review the cryptographic logic in the removed files to identify any potential vulnerabilities or misuse of cryptographic primitives.

---

🟡 WARNING

1. Breaking Changes:

   • The removal of the sb-runtime-skill and related integrations constitutes a breaking change for any users relying on this functionality.
   • Action: Clearly document this breaking change in the release notes and communicate it to users. Consider providing migration guidance or alternatives for affected use cases.

2. Backward Compatibility:

   • The removal of the sb-runtime-skill package and its associated CLI (sb-runtime-governance) may break workflows or scripts that depend on these components.
   • Action: Update the documentation and release notes to highlight the removal of these components and suggest alternative solutions if available.

---

💡 SUGGESTIONS

1. Reimplementation of Valuable Concepts:

   • The PR mentions plans to reimplement valuable concepts like offline verifiable decision receipts and physical/IoT attestation governance. These features are critical for security and compliance.
   • Action: Prioritize the reimplementation of these features and ensure they are designed with robust security practices.

2. Enhanced Contributor Vetting:

   • The issues with ScopeBlind highlight the need for stricter contributor vetting processes.
   • Action: Enhance the contributor governance process to include automated checks for credential laundering and other high-risk behaviors. Consider implementing a pre-merge review process for contributions from new or high-risk contributors.

3. Policy Validation Workflow:

   • The policy-validation.yml workflow was updated to exclude the physical-attestation-governed/ directory. Ensure that this exclusion does not unintentionally skip other critical policy validations.
   • Action: Review the workflow logic to confirm that it still covers all necessary policy files.

4. Documentation Updates:

   • The PR removes several documentation files and references. Ensure that the remaining documentation is updated to reflect the removal of the sb-runtime integration.
   • Action: Update the README.md, docs/index.md, and any other relevant documentation to remove references to the deleted content.

5. Testing:

   • The removal of the sb-runtime-skill package may impact test coverage. Ensure that all tests related to the removed content are also deleted or updated.
   • Action: Run the test suite to confirm that no residual tests fail due to the removal of the sb-runtime integration.

---

Final Notes

The removal of the ScopeBlind and sb-runtime content is a significant change that addresses a critical security concern. However, it introduces potential breaking changes and requires careful follow-up to ensure no residual dependencies or vulnerabilities remain. Prioritize the reimplementation of valuable features and enhance contributor governance to prevent similar issues in the future.

[github-actions]

🤖 AI Agent: security-scanner — Security Analysis of PR: Removal of ScopeBlind Content

Security Analysis of PR: Removal of ScopeBlind Content

This pull request removes all content related to ScopeBlind and its associated sb-runtime integration due to governance tools identifying the contributor as HIGH risk for credential laundering. The removed content includes integration packages, examples, tutorials, and documentation.

---

Findings

1. Prompt Injection Defense Bypass

• Risk: No evidence of prompt injection vulnerabilities in the removed content. The sb-runtime integration primarily focused on policy evaluation and signed decision receipts, which are not directly related to prompt injection.
• Rating: 🔵 LOW
• Action: No further action needed.

---

2. Policy Engine Circumvention

• Risk: The sb-runtime integration provided a governance skill that evaluated policies and emitted signed decision receipts. If this feature was compromised, it could allow attackers to bypass policy enforcement by forging receipts or manipulating policy evaluation.
• Rating: 🟠 HIGH
• Attack Vector: If the sb-runtime integration was malicious or contained backdoors, it could emit forged receipts that falsely indicated compliance with policies.
• Action: The removal of this integration mitigates the risk. Ensure that any reimplementation of similar functionality undergoes rigorous security reviews.

---

3. Trust Chain Weaknesses

• Risk: The sb-runtime integration relied on Ed25519 signatures for decision receipts. While cryptographically secure, the trustworthiness of the implementation depends on the integrity of the sb-runtime library and its key management.
• Rating: 🟠 HIGH
• Attack Vector: If the sb-runtime library or its key management was compromised, attackers could forge receipts or manipulate the trust chain.
• Action: Removal of the integration addresses this risk. Any future implementation should use a well-audited cryptographic library and enforce strict key management practices.

---

4. Credential Exposure

• Risk: The removed content included examples and CLI tools for generating and managing Ed25519 keys. If these tools logged sensitive information (e.g., private keys), it could lead to credential exposure.
• Rating: 🟡 MEDIUM
• Attack Vector: Private keys generated or managed by the sb-runtime CLI could be inadvertently exposed through logs or improper file permissions.
• Action: Verify that no residual sensitive information (e.g., private keys) remains in the repository or logs.

---

5. Sandbox Escape

• Risk: The sb-runtime integration supported multiple sandbox backends (nono, openshell, etc.). If improperly configured, these sandboxes could be bypassed, allowing malicious agents to escape containment.
• Rating: 🟠 HIGH
• Attack Vector: A misconfigured or compromised sandbox backend could allow agents to execute unauthorized actions outside the intended security boundary.
• Action: The removal of this integration mitigates the risk. Future implementations should enforce strict sandboxing and isolation mechanisms.

---

6. Deserialization Attacks

• Risk: The sb-runtime integration used JSON for decision receipts. While JSON is generally safer than formats like pickle, improper handling of untrusted input could lead to deserialization vulnerabilities.
• Rating: 🟡 MEDIUM
• Attack Vector: If the integration processed untrusted JSON receipts without validation, it could lead to code execution or data manipulation.
• Action: Ensure that any future implementation validates and sanitizes all input data.

---

7. Race Conditions

• Risk: The sb-runtime integration supported receipt chaining (previousReceiptHash). If not implemented correctly, this feature could be vulnerable to time-of-check-to-time-of-use (TOCTOU) race conditions.
• Rating: 🟡 MEDIUM
• Attack Vector: An attacker could exploit timing gaps between policy evaluation and receipt issuance to bypass enforcement.
• Action: Removal of the integration mitigates this risk. Future implementations should ensure atomic operations for policy evaluation and receipt issuance.

---

8. Supply Chain Risks

• Risk: The sb-runtime integration depended on external libraries (pyyaml, cryptography, etc.). If these dependencies were compromised (e.g., through dependency confusion or typosquatting), it could introduce vulnerabilities.
• Rating: 🔴 CRITICAL
• Attack Vector: A malicious version of a dependency could execute arbitrary code or exfiltrate sensitive data during runtime.
• Action: Removal of the integration addresses this risk. Future implementations should pin dependencies to specific, audited versions and use tools like pip-audit to detect vulnerabilities.

---

Recommendations

1. Audit Remaining Code: Ensure that no residual references to sb-runtime or ScopeBlind remain in the repository.
2. Reimplement Critical Features: Features like offline verifiable decision receipts and physical/IoT attestation governance should be reimplemented with a focus on security and transparency.
3. Dependency Management: Use dependency scanning tools to identify and mitigate supply chain risks in the remaining codebase.
4. Key Management: Implement robust key management practices for any cryptographic operations in future integrations.
5. Sandboxing: Enforce strict sandboxing and isolation mechanisms for agent execution.

---

Conclusion

The removal of ScopeBlind content significantly reduces the attack surface of the repository. However, the features provided by the sb-runtime integration (e.g., signed decision receipts) are valuable and should be reimplemented with a focus on security and compliance.

[tomjwxf]

For the record, I dispute the allegations and imputations made, including those concerning me, my business ScopeBlind, and my work.

For atleast the following reason: the "credibility laundering" for "tomjwxf (ScopeBlind)" at bb0745d and the updated #1498 "credential laundering" claims expressly rely on "feat: ScopeBlind protect-mcp integration — Cedar policy enforcement + verifiable receipts #667"** as the "credential proof." Citing my own publicly accepted work is not "laundering".

I also do not consent to: "Separate issues will be filed for genuinely valuable concepts to be reimplemented:
Offline verifiable decision receipts (Ed25519 + JCS)
Physical/IoT attestation governance
MCP tool-call receipt signing"

Or any of my "genuinely valuable" work being "reimplemented" uncredited in at-least the following #1499 #1500 #1501 #1505 republications "referenc[ing]" this public commit.

I have served Concerns Notice and Preservation Notice correspondence concerning these publications and related records. I reserve all rights and will not engage further substantively in this thread pending the private process.