Who this is for
A platform team assessing rousseau-agent before it goes near production. Answers the "what do we need to sign off on?" question. Every item cross-references a specific concrete thing rousseau ships so the sign-off is objective, not aesthetic.
Checklist
1. Supply chain
- SBOM. Confirm every release publishes
rousseau_<v>_sbom.cdx.json(CycloneDX 1.5). Import into your SCA scanner. Actionable: runcyclonedx-cli treeagainst the SBOM and grep for licence exceptions your org bans. - SLSA-3 provenance. Every release publishes
rousseau_<v>_provenance.intoto.jsonl. Verify withslsa-verifier verify-artifact --source-uri github.com/sebastienrousseau/rousseau-agent …. - cosign trust root. Pin the certificate identity regex:
sebastienrousseau/rousseau-agent. Cache the checksum verification recipe in your bootstrap tooling; see Quickstart step 5. - Reproducible build.
make checkrunsgo test -raceplusgovulncheck. Set up a periodic vulnerability scan of the version you're running.
2. Runtime hardening
- Rootless container.
docker/rousseau-agent.containerruns the Quadlet unit under a dedicated unprivileged user withloginctl enable-linger. Confirm your host is set up the same way. - All caps dropped.
DropCapability=all.podman inspect | jq '.[0].EffectiveCaps'should show[]. -
NoNewPrivileges=true. Prevents child processes from gaining privileges. - Read-only root filesystem.
ReadOnly=true+Tmpfs=/tmp:rw,size=64m. - Seccomp profile.
SeccompProfile=/usr/share/containers/seccomp.json. Audit it against your host's baseline. - User namespace mapping.
UserNS=keep-id. Confirms bind-mounted files own correctly on both sides.
3. Network posture
- No inbound. Rousseau has zero HTTP surface.
ss -tanp | grep rousseaushows outbound-only sockets. - Egress allowlist. Layer nftables or Cloudflare Zero-Trust outside the container. Allow only:
- The LLM provider (
api.anthropic.com,bedrock-runtime.<region>.amazonaws.com,us-east1-aiplatform.googleapis.com, etc.). - The transport (
web.whatsapp.com,mtproto.telegram.org, matrix homeserver, Slackwss-*).
- The LLM provider (
- DNS resolver locked down. Optionally run a
unboundin an adjacent container that only resolves the allowlisted names.
4. Approval policy
-
mode: patternfor every unattended daemon. Verifyagent.approver.mode: patternin the config for every transport service. -
default: deny. No unmatched call gets through. -
bashdeny list.rm\s+-rf,sudo,curl,wget,chmod,chown,nc,ncat. See Tutorial: Harden the approver. -
write/editpath pin. Regex restricts writes to/workspace/.... - Config in source control. The approver YAML is code — review it in PR.
5. Secret handling
- No API keys in
config.yaml. Store secrets in asystemdEnvironmentFile=(chmod 0600) or the org's secret manager. -
ANTHROPIC_API_KEYpiped via env.config.Load(internal/config/config.go) picks it up. - Bedrock IRSA / Vertex ADC. Prefer identity federation over long-lived API keys.
- Rotation cadence. 90 days or as your policy demands. Rousseau does not cache credentials — a rotated key is picked up on the next daemon restart.
6. Data at rest
-
sessions.dbencryption. Full-disk encryption (LUKS on Linux, FileVault on macOS, EBS-encrypted volumes on AWS). Rousseau does not implement application-level encryption on the session store. - Backups encrypted. Restic or borg both encrypt at rest with a key you control.
- Retention policy. Bulk-delete sessions older than
Ndays — see Guides: Session management for the SQL. - JID map handling.
jid_sessionstable maps phone numbers to session IDs. Treat it as PII.
7. Logs and audit
-
log.format: json. Machine-parsable output. - Log shipping off-host. Vector / Promtail / Datadog. See Guides: Observability.
- Retention. 90 days minimum in cold storage. Rousseau's audit trail is entirely in slog; you make it durable.
-
tool.deniedalerting. Alert on any denial — it may be benign or an attempted injection. -
whatsapp.logged_outalerting. Meta policy trip means the account is out of action.
8. Change management
- Config changes are code. PR-reviewed, versioned in git.
- Image bumps are deliberate.
AutoUpdate=disabledin the Quadlet unit is intentional. - Rollback plan. Keep the previous image tagged and available.
podman tag localhost/rousseau-agent:local rousseau-agent:previousbefore every build.
9. Incident response
- On-call rota. Someone can
systemctl --user stop rousseau-agentwithin your MTTR SLO. - Compromise playbook. Steps to: revoke the LLM API key, revoke the transport token (e.g. Slack bot re-install), snapshot the session store, image the container filesystem, unlink WhatsApp device.
- Security disclosure channel. Read
SECURITY.mdin the rousseau-agent repo for the coordinated disclosure address. - SLO for security fixes. Track CVEs against the pinned rousseau version.
govulncheckinmake checkcatches known Go stdlib and dependency issues.
10. Compliance mapping
- SOC 2 evidence. SLSA-3 provenance + cosign + SBOM covers CC7.1 (system operations). Approver logs cover CC7.2.
- ISO 27001 A.12 Operations Security. Approval policies + workspace scoping + audit logs.
- OWASP LLM Top-10. Rousseau does not attest to LLM Top-10 today — this is a roadmap item. Document your compensating controls (approver + container) in your audit.
Sign-off template
The below is a lightweight template your platform team can copy into a runbook:
Rousseau-agent deployment sign-off
=================================
Version: <tag> (verified via cosign / SLSA verifier)
Provider: <anthropic|bedrock|vertex|openai>
Transports enabled: <list>
Approver mode: pattern
Approver default: deny
Log destination: <Loki / Datadog / etc>
Backup destination: <s3://... / restic repo>
On-call: <team>
Security disclosure: <internal address>
Related
- Security — the trust boundaries this checklist protects.
- Deployment — the Quadlet unit.
- Tutorial: Deploy to a VPS — worked example.
- Guides: Production Deployment — operational specifics.