HawkinsOperationsDetection Engineering SOC

Public utility satellite

Claim Firewall

Block unsupported security claims before they ship.

Claim Firewall is a small CLI and GitHub Action that scans security docs, PR text, README files, YAML files, and public-facing Markdown for wording that outruns evidence.

v0.1.0 releasedCI passedTOOL_FUNCTION_ONLYRENDERING_ONLY website pageCLIGitHub ActionPolicy as code
PUBLIC WORDING ROUTEpolicy gate
01WORDING

Docs, PR text, README updates, YAML files, and public Markdown enter the gate.

02SCANNER

Configured policy catches unsupported wording and reports a suggested ceiling.

fail closed
03CEILING

Unsafe product claims are blocked. Safer wording stays behind evidence.

python -m claimfirewall scan README.md --policy policy/blocked_claims.yml
scan filesscan dirstext outputjson outputaction gatepublic proof blocked
Website rendering is not proof.Public proof requires evidence linkage and explicit promotion.

Unsupported security claims should fail before they reach the public page. Public wording stays below the evidence ceiling.

Quick Start

Run the scanner where the wording lives

CLI

Python module

python -m claimfirewall scan README.md --policy policy/blocked_claims.yml

Console script

claimfirewall scan README.md --policy policy/blocked_claims.yml

Failure Example

What a blocked claim looks like

CONTROLLED RISK CHIPS

Unsafe wording examples

This detection is production ready.

Finding

  • Blocked claim: production maturity
  • Reason: production maturity requires evidence outside wording scan
  • Suggested ceiling: TOOL_FUNCTION_ONLY

GitHub Action

Gate public wording in CI

ACTION GATE

Drop the action into CI to block configured wording before public text ships.

- uses: HawkinsOperations/[email protected]
  with:
    paths: "."
    format: "text"
    exclude: "examples/fail.md policy/blocked_claims.yml"

Claim Transformer

Replace overreach with bounded wording

EVIDENCE BEFORE CLAIMS

Blocked wording

This detection is production ready.

Why it fails

Production maturity requires deployment evidence and explicit review.

Safer wording

This detection has controlled-test validation only.

Blocked wording

AI approved the final disposition.

Why it fails

AI can support analysis, but approval authority remains human.

Safer wording

AI provided support-only triage context. Human review remains authority.

Blocked wording

The website proves signal observation.

Why it fails

Rendering routes reviewers. It does not create signal evidence.

Safer wording

The website routes reviewers to evidence. It does not prove signal observation.

Blocked wording

Coverage is fleet wide.

Why it fails

Coverage breadth requires separate telemetry and deployment evidence.

Safer wording

Coverage breadth is not claimed by this page.

Policy Coverage

The policy watches language families, not just slogans

Blocked / not claimed
production maturityruntime evidencepublic release safetysignal observationautomated SOC claimsAI approval languageanalyst approval languagecustomer rollout evidenceservice availabilitycoverage breadth

Allowed wording examples

  • does not prove production deployment
  • does not claim public release safety
  • support-only AI wording
  • rendering is not proof

Proof Boundary

The tool checks wording. It does not approve claims.

RENDERING_ONLY / TOOL_FUNCTION_ONLY

Claim Firewall checks wording against configured policy only.

It does not prove detection behavior, runtime telemetry, signal observation, production deployment, public release safety, customer rollout, service availability, AI approval, analyst approval, or final human authorization.

Website proof boundary: This website renders reviewer navigation only. Rendering is not proof authority. The website rendering layer remains separate from evidence.

  • RENDERING_ONLY for this website page.
  • TOOL_FUNCTION_ONLY for Claim Firewall v0.1.0.
  • No public proof is created by this page.

HawkinsOperations Fit

Utility only, authority stays separate

AUTHORITY MAP

.github

command center and reviewer routing

detections

source truth

validation

behavior validation

platform

control mechanics

proof

proof and claim authority

website

rendering only

claim-firewall

utility only

Claim Firewall supports claim hygiene. It does not approve claims. Evidence and human review decide truth.

Receipts

Public routes for reviewers

Outcome panel
  • Ceiling: TOOL_FUNCTION_ONLY
  • Website status: RENDERING_ONLY
  • Evidence ceiling gauge: release routes are reviewer navigation, not proof promotion.
  • Promotion gate timeline: green CI is useful status, not approval.
  • AI support remains support. runtime candidate language stays below proof authority.