json
Full-loop JSON
Target reader: reviewer or website data loader.
Open artifact ->Reviewer evidence bay
Reviewer artifacts.Each card keeps its own ceiling.
Filter the evidence by family. Every card routes reviewers to the receipt and states what it supports and what it does not prove. Website cards are not the evidence.
Receipts, not vibes
This is a receipt room: every artifact carries its own ceiling, a supports / does-not-prove split, and a route to the evidence. Private evidence is excluded and website rendering is not proof.
Artifact Receipt Wall
Receipts first. Claims second. Rendering last.
Every artifact card is a reviewer route: what it supports, what it does not prove, where it lives, and how it connects to the source-validation-proof chain.
- 01artifact
- 02source
- 03validation
- 04platform contract
- 05proof record
- 06Hoxline claim gate
- 07website render
Public ProofHO-DET-001 Proof Record
A public proof record exists with a stated ceiling, blocked promotions, and a path back to source and validation.
Runtime activation, signal observation, fleet scope, or external-use authorization.Public renderingWebsite Rendering Is Not ProofThe public website owns presentation only and routes reviewers to evidence and proof records.
Runtime, signal, or evidence claims that live in their own repositories and gates.Public ProofHO-DET-001 Case FileThe bounded scope of controlled-test validation status against an explicit promotion gate list.
Runtime or signal authority outside the controlled-test path.Public ProofAWS-DET-001 Proof RecordAWS-DET-001 passed fixture-only validation against controlled CloudTrail-style IAM denial fixtures.
AWS-live, CloudTrail live, cloud runtime-active, signal-observed, or public-safe runtime proof.Runtime TruthHO-DET-001 Private Runtime BoundaryOnly that the public card routes reviewers to a blocked private/internal boundary, not to a public runtime fact.
Runtime-active deployment, public-safe runtime proof, fleet-wide coverage, Cribl-routed telemetry, Wazuh-routed public proof, AWS-live status, or live Splunk fired as public proof.Evidence TruthPrivate Marker Delivery BoundaryOnly that the public card routes reviewers to a blocked private/internal boundary, not to a public Splunk or Cribl fact.
HO-DET-001/Sysmon telemetry is Cribl-routed, Cribl-routed telemetry for production or fleet scope, Wazuh-routed public proof, live Splunk fired as public proof, or any change to the public proof ceiling.Validation TruthValidation Report — Controlled-Test ScopeA bounded test path passed inside its declared scope.
Runtime activity, public signal, or external-use approval.Validation TruthHO-DET-012 Controlled Validation / Runtime BoundaryHO-DET-012 has a controlled-test validation package, a proof record, and a bounded public summary with raw evidence kept private.
Runtime-active public proof, signal-observed proof, scheduled-task coverage completeness, production deployment, or public-safe runtime proof.Telemetry route boundaryHO-PIPE-001 Telemetry Route BoundaryHO-PIPE-001 is represented in the public detection map as a source-existing telemetry route boundary with validation planned.
Live route validation, Cribl reduction proof, runtime-active public proof, public-safe proof, or production telemetry routing.Evidence Bay
Receipts live here. Claims do not get to float free.
Artifact cards route reviewers from public rendering back to source, validation, proof, and authority surfaces. The wall is searchable by family and keeps proof ceilings attached.
proof-recordHO-DET-001 Proof Record
Public Proof
CONTROLLED_TEST_VALIDATEDgovernanceWebsite Rendering Is Not ProofPublic rendering
rendering/reference boundarycase-studyHO-DET-001 Case FilePublic Proof
CONTROLLED_TEST_VALIDATEDproof-recordAWS-DET-001 Proof RecordPublic Proof
CONTROLLED_TEST_VALIDATEDproof-recordHO-DET-001 Private Runtime BoundaryRuntime Truth
CONTROLLED_TEST_VALIDATEDproof-recordPrivate Marker Delivery BoundaryEvidence Truth
CONTROLLED_TEST_VALIDATEDvalidationValidation Report — Controlled-Test ScopeValidation Truth
CONTROLLED_TEST_VALIDATEDvalidationHO-DET-012 Controlled Validation / Runtime BoundaryValidation Truth
CONTROLLED_TEST_VALIDATEDarchitectureHO-PIPE-001 Telemetry Route BoundaryTelemetry route boundary
SOURCE_EXISTS_VALIDATION_PLANNEDarchitectureHO-NDR-001 Security Onion Visibility ContractNDR visibility contract
BOUNDARY_CONTRACT_ONLYpublic-packetProof Loop Reviewer Brief / Review ZIP StandardReviewer packet
REVIEWER_PACKET_STANDARDarchitectureDetection Factory / Validation Factory ControllerGoverned control plane
CONTROL_PLANE_STRUCTUREgovernanceHO-LAB-AUTO / Support-only AI Triage BoundaryAI support boundary
SUPPORT_ONLY_AIgovernanceClaim FirewallPublic claim boundary
rendering/reference boundaryci-verifierBlocked-Claim CI ScannerPublic claim boundary
rendering/reference boundaryarchitectureTruth Surface ModelSystem architecture
rendering/reference boundaryarchitectureRepository Authority MapSystem architecture
rendering/reference boundarygovernanceControl Status MatrixGovernance routing
rendering/reference boundaryartifactsourcevalidationproofwebsite render
Hoxline reviewer outputs
Gauntlet v0 adds an output wall to the evidence bay.
The generated JSON, Markdown, and runner docs help reviewers inspect HO-DET-001 loop state. They are rendered as artifacts, not as stronger proof or public-safe promotion.
generated_outputs_chart
Output artifact wall
Reviewer-readable outputs are surfaced as artifacts. They are routes to inspect, not proof promotion.
JSON: 1Markdown: 1Schema: 2
build_timeline
Reviewer path from source to gated claims
Tap a node to inspect what exists today and what remains gated.
manifest
HO-DET-001 controlled demo packaging
Controlled demo artifacts and reviewer entry points were packaged.
Reviewer paths
Pick where to start.
The same evidence bay reads differently depending on who is inspecting. Choose a lens; the route stays inside surfaces that already exist.
New high-ROI reviewer receipts
Start with the newest bounded receipts, then inspect the full bay.
These cards surface the newest reviewer routes first. They still keep source route, support, does-not-prove, and proof-boundary notes attached to each artifact.
Control Plane & Workflow
Source-backed receipts that expose the detection-to-validation-to-proof workflow structure reviewers can inspect.
Detection Factory / Validation Factory Controller
Governed control planeCONTROL_PLANE_STRUCTURE
- Supports
- A bounded controller pattern exists for status and plan packets across detection, validation, and proof workflow structure.
- Does not prove
- Every detection is validated, runtime execution occurred, signal observation happened, autonomous SOC authority exists, or AI approved anything.
Validation & Proof Boundary
Receipts that keep controlled validation, runtime boundaries, and reviewer packets separated from proof promotion.
HO-DET-012 Controlled Validation / Runtime Boundary
Validation TruthCONTROLLED_TEST_VALIDATED
- Supports
- HO-DET-012 has a controlled-test validation package, a proof record, and a bounded public summary with raw evidence kept private.
- Does not prove
- Runtime-active public proof, signal-observed proof, scheduled-task coverage completeness, production deployment, or public-safe runtime proof.
Proof Loop Reviewer Brief / Review ZIP Standard
Reviewer packetREVIEWER_PACKET_STANDARD
- Supports
- A reviewer packet route and inspection standard exist for bounded proof review.
- Does not prove
- Runtime truth, public-safe truth, production readiness, customer validation, or SOCaaS maturity.
Telemetry & AI Boundary
Boundary cards for telemetry routes, NDR visibility contracts, and support-only AI triage authority.
HO-PIPE-001 Telemetry Route Boundary
Telemetry route boundarySOURCE_EXISTS_VALIDATION_PLANNED
- Supports
- HO-PIPE-001 is represented in the public detection map as a source-existing telemetry route boundary with validation planned.
- Does not prove
- Live route validation, Cribl reduction proof, runtime-active public proof, public-safe proof, or production telemetry routing.
HO-NDR-001 Security Onion Visibility Contract
NDR visibility contractBOUNDARY_CONTRACT_ONLY
- Supports
- HO-NDR-001 is represented as a contract-only visibility boundary with no fixtures and no proof record.
- Does not prove
- Production NDR, permanent SPAN, public-safe NDR proof, live NDR coverage, or cross-source corroboration as public proof.
HO-LAB-AUTO / Support-only AI Triage Boundary
AI support boundarySUPPORT_ONLY_AI
- Supports
- A public support-only AI boundary is represented: AI may assist labor, but human review remains authority.
- Does not prove
- AI-approved disposition, autonomous SOC, public runtime proof, production readiness, or analyst-approved outcome.
Evidence bay
Filter by family · the ceiling travels with the artifact.
One control room for every reviewer artifact. Pick a family; each card shows its owning surface, what it supports, what it does not prove, and where to inspect it.
25 artifacts · all families
HO-DET-001 Proof Record
- Supports
- A public proof record exists with a stated ceiling, blocked promotions, and a path back to source and validation.
- Does not prove
- Runtime activation, signal observation, fleet scope, or external-use authorization.
Website Rendering Is Not Proof
- Supports
- The public website owns presentation only and routes reviewers to evidence and proof records.
- Does not prove
- Runtime, signal, or evidence claims that live in their own repositories and gates.
HO-DET-001 Case File
- Supports
- The bounded scope of controlled-test validation status against an explicit promotion gate list.
- Does not prove
- Runtime or signal authority outside the controlled-test path.
AWS-DET-001 Proof Record
- Supports
- AWS-DET-001 passed fixture-only validation against controlled CloudTrail-style IAM denial fixtures.
- Does not prove
- AWS-live, CloudTrail live, cloud runtime-active, signal-observed, or public-safe runtime proof.
HO-DET-001 Private Runtime Boundary
- Supports
- Only that the public card routes reviewers to a blocked private/internal boundary, not to a public runtime fact.
- Does not prove
- Runtime-active deployment, public-safe runtime proof, fleet-wide coverage, Cribl-routed telemetry, Wazuh-routed public proof, AWS-live status, or live Splunk fired as public proof.
Private Marker Delivery Boundary
- Supports
- Only that the public card routes reviewers to a blocked private/internal boundary, not to a public Splunk or Cribl fact.
- Does not prove
- HO-DET-001/Sysmon telemetry is Cribl-routed, Cribl-routed telemetry for production or fleet scope, Wazuh-routed public proof, live Splunk fired as public proof, or any change to the public proof ceiling.
Validation Report — Controlled-Test Scope
- Supports
- A bounded test path passed inside its declared scope.
- Does not prove
- Runtime activity, public signal, or external-use approval.
HO-DET-012 Controlled Validation / Runtime Boundary
- Supports
- HO-DET-012 has a controlled-test validation package, a proof record, and a bounded public summary with raw evidence kept private.
- Does not prove
- Runtime-active public proof, signal-observed proof, scheduled-task coverage completeness, production deployment, or public-safe runtime proof.
Reviewer metadata
- Source route
- Validation registry ↗
- Public-safe status
- BOUNDED_PUBLIC_SAFE_SUMMARY_APPROVED
- Reviewer action
- Inspect the runtime-boundary page, then verify the validation registry row and proof ceiling.
- Related surface / repo
- Proof / Validation / Runtime Proof Factory
- Proof boundary note
- The public website may summarize the bounded boundary; raw runtime material and stronger runtime/signal claims stay blocked.
HO-PIPE-001 Telemetry Route Boundary
- Supports
- HO-PIPE-001 is represented in the public detection map as a source-existing telemetry route boundary with validation planned.
- Does not prove
- Live route validation, Cribl reduction proof, runtime-active public proof, public-safe proof, or production telemetry routing.
Reviewer metadata
- Source route
- Attack coverage source ↗
- Public-safe status
- PUBLIC_ROUTE_BOUNDARY_SUMMARY
- Reviewer action
- Inspect HO-PIPE-001 in the attack coverage source, then use the rendered detections map only as navigation.
- Related surface / repo
- Detections / Attack coverage source
- Proof boundary note
- SOURCE_EXISTS / VALIDATION_PLANNED is not route proof and does not promote telemetry runtime claims.
HO-NDR-001 Security Onion Visibility Contract
- Supports
- HO-NDR-001 is represented as a contract-only visibility boundary with no fixtures and no proof record.
- Does not prove
- Production NDR, permanent SPAN, public-safe NDR proof, live NDR coverage, or cross-source corroboration as public proof.
Reviewer metadata
- Source route
- Validation registry ↗
- Public-safe status
- PUBLIC_BOUNDARY_CONTRACT_SUMMARY
- Reviewer action
- Read the validation-registry row as contract-only; do not promote it into observed Security Onion proof.
- Related surface / repo
- Validation registry / Platform contracts / Detections
- Proof boundary note
- A visibility contract is not NDR proof; runtime, signal, and corroboration claims require separate promoted evidence.
Proof Loop Reviewer Brief / Review ZIP Standard
- Supports
- A reviewer packet route and inspection standard exist for bounded proof review.
- Does not prove
- Runtime truth, public-safe truth, production readiness, customer validation, or SOCaaS maturity.
Reviewer metadata
- Source route
- Proof Pack release ↗
- Public-safe status
- PUBLIC_REVIEWER_PACKET
- Reviewer action
- Start with the manifest, then compare each receipt against the does-prove and does-not-prove boundary.
- Related surface / repo
- Proof Pack 001 / Proof manifest / Governance Saves
- Proof boundary note
- A reviewer packet routes inspection; it does not raise a claim ceiling by existing.
Detection Factory / Validation Factory Controller
- Supports
- A bounded controller pattern exists for status and plan packets across detection, validation, and proof workflow structure.
- Does not prove
- Every detection is validated, runtime execution occurred, signal observation happened, autonomous SOC authority exists, or AI approved anything.
Reviewer metadata
- Source route
- Controller source ↗
- Public-safe status
- PUBLIC_STRUCTURE_SUMMARY
- Reviewer action
- Inspect the controller as workflow structure, then follow validation/proof routes for individual detection claims.
- Related surface / repo
- Platform / Validation / Proof / Detections
- Proof boundary note
- The controller emits bounded status; promotion and proof authority remain outside the controller.
HO-LAB-AUTO / Support-only AI Triage Boundary
- Supports
- A public support-only AI boundary is represented: AI may assist labor, but human review remains authority.
- Does not prove
- AI-approved disposition, autonomous SOC, public runtime proof, production readiness, or analyst-approved outcome.
Reviewer metadata
- Source route
- Platform contracts →
- Public-safe status
- PUBLIC_BOUNDARY_SUMMARY
- Reviewer action
- Use this card to inspect where AI support stops and human review authority begins.
- Related surface / repo
- AI Security / Platform contracts
- Proof boundary note
- AI support can summarize and route; it cannot approve disposition, proof promotion, or public-safe status.
Claim Firewall
- Supports
- The supported public ceiling and the explicit list of claims kept off the public surface.
- Does not prove
- That blocked claims are merely pending; some remain blocked by design.
Blocked-Claim CI Scanner
- Supports
- Rendering wording has a deterministic scanner and a published blocked-claim list.
- Does not prove
- Runtime control coverage, required-check enforcement, or branch-protection status.
Truth Surface Model
- Supports
- Each surface owns a different question; none inherits proof by presentation.
- Does not prove
- That every surface is currently active for HawkinsOperations claims.
Repository Authority Map
- Supports
- Repository plane separation by ownership and authority.
- Does not prove
- Runtime state across repositories.
Control Status Matrix
- Supports
- A central reviewer-facing routing surface for control status exists in the .github profile repo.
- Does not prove
- Runtime control activation outside the matrix's own statements.
Claim Promotion Flow
- Supports
- A documented promotion path with separate gates per surface.
- Does not prove
- That a given claim has currently passed every gate.
Reviewer Route — 3 Speeds
- Supports
- Reviewer-friendly entry routes into proof and architecture.
- Does not prove
- That reading the route promotes any claim.
Field Notes Codex
- Supports
- A short-form public surface that defends the system's boundary doctrine.
- Does not prove
- Runtime claims; field notes route to records.
AI Authority Boundary
- Supports
- Where AI assistance ends and human-approved governance begins inside this system.
- Does not prove
- That any model output is itself a proof artifact.
Blocked Public Claims
- Supports
- Reviewers can see what is blocked, not just what is supported.
- Does not prove
- Hidden claims; the blocked list is intentionally visible.
Legacy Boundary
- Supports
- Legacy material exists and can give context.
- Does not prove
- Current runtime, signal, or evidence claims for HawkinsOperations.
System History
- Supports
- Rendering changes are tracked publicly.
- Does not prove
- Runtime or signal changes to the underlying detection system.
Reviewer anchors
Start with the proof-bearing artifacts.
The proof record holds the bounded ceiling. The doctrine keeps rendering separate from proof. The route line shows how the rendered card points back to evidence.
HO-DET-001 Proof Record
The flagship public proof record with controlled-test validation status, bounded ceiling, and explicit blocked promotions.
Open proof card →Website Rendering Is Not Proof
The boundary doctrine that separates a rendered page from a proof record. Routing is not evidence.
Read field note →Local GPU Triage / Factory Lane
Governed platform work · bounded receipts and status packets.
Recent platform work defines bounded workflow gates, receipt emission, and status packets. This lane is reviewer-visible governed labor only. It does not claim model execution in CI, GPU CI proven status, runtime-active status, signal-observed status, or public-safe runtime proof.
- 01 · Phase A
Phase A scaffold
Does not prove runtime activity or GPU CI status.
Open artifact ↗
- 02 · Phase B
Phase B workflow gate
Governed labor only; not runtime proof.
Open artifact ↗
- 03 · Receipt
Receipt-emit hardened
Does not prove model execution in CI or public-safe runtime proof.
Open artifact ↗
- 04 · Factory
Factory status packets
Does not claim autonomous SOC or AI-approved disposition.
Open artifact ↗
BoundaryGPU / factory artifacts are reviewer-visible governed work. They do not prove model execution in CI, GPU CI status, runtime-active status, signal-observed status, or public-safe runtime proof. Public ceiling stays at CONTROLLED_TEST_VALIDATED.
Recent governed work · by surface
Grouped by where the work lives.
Each group is a hand-maintained static snapshot. Cards open reviewer review pages. No card claims runtime-active, signal-observed, or public-safe runtime proof.
Proof · case studies
Evidence boundaryProof-repo updates and reviewer-visible case studies. Does not promote runtime or public-safe runtime proof.
Governed work · Proof surface
Proof / case study artifacts
Proof-repo updates and reviewer-visible case studies.
- DOCS_ARTIFACT2026-05-17
AI Governance Control Layer case study merged
Context-only case study describing the governed AI-assisted proof routing model. Not pipeline proof.
proof · #37Open review → - MERGED_PR2026-05-17
Proof Pack 001 reviewer-package wording hardened
Reviewer-package wording for Proof Pack 001 tightened. Wording only.
proof · #36Open review →
Platform · GPU · Factory
Governed laborPlatform-repo work — bounded workflow gates, receipt emission, and Detection Factory Controller status packets. Governed labor only; does not claim model execution in CI or GPU CI proven status.
Governed work · Platform surface
Platform / GPU / Factory artifacts
Bounded workflow gates and receipts. Governed labor only.
- RECEIPT_EMITTED2026-05-17
Local GPU Triage Gate · receipt-emit hardened
Receipt-emit path for the Local GPU Triage Gate workflow hardened. Receipt path only.
platform · #19Open review → - GOVERNED_LABOR2026-05-17
Local GPU Triage Phase B workflow gate added
Phase B workflow gate scaffolding for the Local GPU Triage Gate. Governed labor only.
platform · #17Open review → - GOVERNED_LABOR2026-05-17
Local GPU Triage Pipeline v0 Phase A scaffold
Phase A scaffold of the Local GPU Triage Pipeline v0. Scaffold only.
platform · #15Open review → - GOVERNED_LABOR2026-05-17
Detection Factory Controller v0 status packets
Detection Factory Controller v0 emits bounded status packets. Governed work only.
platform · #14Open review →
Validation · verifiers
Controlled-test boundaryValidation-repo verifier work for HO-DET-001 AI triage. Closes controlled-test edge cases; runtime and signal-observed status remain blocked at this surface.
Governed work · Validation surface
Validation / verifier artifacts
Controlled-test verifier work.
- VERIFIER_HARDENED2026-05-16
HO-DET-001 AI triage private-key edge cases closed
HO-DET-001 AI triage verifier hardened around private-key rejection edge cases.
validation · #34Open review → - VERIFIER_HARDENED2026-05-16
HO-DET-001 AI triage contract verifier added
Contract verifier added for the HO-DET-001 AI triage path inside the controlled-test boundary.
validation · #33Open review →
Website · public rendering
Public renderingWebsite-repo updates. Public rendering only — website rendering is not proof.
Governed work · Website surface
Website / public rendering artifacts
Public rendering updates only.
Coverage heatmap
Family coverage at a glance.
Select a family to read its coverage across planes. Cells show where each family exists in public, where the website routes, and what stays private or blocked. The matrix below holds the same data as a table.
Reviewer evidence coverage
Artifact family coverage.
This matrix groups artifact families across planes. Cells declare what exists in public, what the website routes, and what is held private or blocked. The matrix does not promote claims; it shows family-level coverage.
Artifact familySourceValidationProofWebsitePrivate evidencePublic status
HO-DET-001 proof looppresentpresentpresentrouted—controlled-test
Proof Pack 001presentpresentroutedrouted—reviewer-routed
HO-DET-001 detection sourcepresentpresentroutedrouted—controlled-test
Validation CI / reportpresentpresentroutedrouted—present
Backend adapter · field mappingprivateprivate—referenceprivateblocked
AI support · GPU supportprivateprivate——privateblocked
NDR · Security Onion recordprivate—referencereferenceprivateunpublished
Cyber Kill Chain / ATT&CK reviewer mappresentpresentroutedrouted—rendering
Governance · review authoritypresentpresentroutedrouted—present
Website proof routingpresentpresentroutedrouted—rendering
Legend · present = public artifact exists on its authority repo · routed = website surface points to the receipt · private = held in private/internal evidence, not public · reference = referenced but not promoted · blocked = not eligible for public claim until promotion gate clears · reviewer-routed = bounded reviewer route available; not proof promotion. Website rendering is not proof; the matrix only describes coverage state.