?

Who this is for

A platform team assessing rousseau-agent before it goes near production. Answers the "what do we need to sign off on?" question. Every item cross-references a specific concrete thing rousseau ships so the sign-off is objective, not aesthetic.

Checklist

1. Supply chain

  • SBOM. Confirm every release publishes rousseau_<v>_sbom.cdx.json (CycloneDX 1.5). Import into your SCA scanner. Actionable: run cyclonedx-cli tree against the SBOM and grep for licence exceptions your org bans.
  • SLSA-3 provenance. Every release publishes rousseau_<v>_provenance.intoto.jsonl. Verify with slsa-verifier verify-artifact --source-uri github.com/sebastienrousseau/rousseau-agent ….
  • cosign trust root. Pin the certificate identity regex: sebastienrousseau/rousseau-agent. Cache the checksum verification recipe in your bootstrap tooling; see Quickstart step 5.
  • Reproducible build. make check runs go test -race plus govulncheck. Set up a periodic vulnerability scan of the version you're running.

2. Runtime hardening

  • Rootless container. docker/rousseau-agent.container runs the Quadlet unit under a dedicated unprivileged user with loginctl enable-linger. Confirm your host is set up the same way.
  • All caps dropped. DropCapability=all. podman inspect | jq '.[0].EffectiveCaps' should show [].
  • NoNewPrivileges=true. Prevents child processes from gaining privileges.
  • Read-only root filesystem. ReadOnly=true + Tmpfs=/tmp:rw,size=64m.
  • Seccomp profile. SeccompProfile=/usr/share/containers/seccomp.json. Audit it against your host's baseline.
  • User namespace mapping. UserNS=keep-id. Confirms bind-mounted files own correctly on both sides.

3. Network posture

  • No inbound. Rousseau has zero HTTP surface. ss -tanp | grep rousseau shows outbound-only sockets.
  • Egress allowlist. Layer nftables or Cloudflare Zero-Trust outside the container. Allow only:
    • The LLM provider (api.anthropic.com, bedrock-runtime.<region>.amazonaws.com, us-east1-aiplatform.googleapis.com, etc.).
    • The transport (web.whatsapp.com, mtproto.telegram.org, matrix homeserver, Slack wss-*).
  • DNS resolver locked down. Optionally run a unbound in an adjacent container that only resolves the allowlisted names.

4. Approval policy

  • mode: pattern for every unattended daemon. Verify agent.approver.mode: pattern in the config for every transport service.
  • default: deny. No unmatched call gets through.
  • bash deny list. rm\s+-rf, sudo, curl, wget, chmod, chown, nc, ncat. See Tutorial: Harden the approver.
  • write / edit path pin. Regex restricts writes to /workspace/....
  • Config in source control. The approver YAML is code — review it in PR.

5. Secret handling

  • No API keys in config.yaml. Store secrets in a systemd EnvironmentFile= (chmod 0600) or the org's secret manager.
  • ANTHROPIC_API_KEY piped via env. config.Load (internal/config/config.go) picks it up.
  • Bedrock IRSA / Vertex ADC. Prefer identity federation over long-lived API keys.
  • Rotation cadence. 90 days or as your policy demands. Rousseau does not cache credentials — a rotated key is picked up on the next daemon restart.

6. Data at rest

  • sessions.db encryption. Full-disk encryption (LUKS on Linux, FileVault on macOS, EBS-encrypted volumes on AWS). Rousseau does not implement application-level encryption on the session store.
  • Backups encrypted. Restic or borg both encrypt at rest with a key you control.
  • Retention policy. Bulk-delete sessions older than N days — see Guides: Session management for the SQL.
  • JID map handling. jid_sessions table maps phone numbers to session IDs. Treat it as PII.

7. Logs and audit

  • log.format: json. Machine-parsable output.
  • Log shipping off-host. Vector / Promtail / Datadog. See Guides: Observability.
  • Retention. 90 days minimum in cold storage. Rousseau's audit trail is entirely in slog; you make it durable.
  • tool.denied alerting. Alert on any denial — it may be benign or an attempted injection.
  • whatsapp.logged_out alerting. Meta policy trip means the account is out of action.

8. Change management

  • Config changes are code. PR-reviewed, versioned in git.
  • Image bumps are deliberate. AutoUpdate=disabled in the Quadlet unit is intentional.
  • Rollback plan. Keep the previous image tagged and available. podman tag localhost/rousseau-agent:local rousseau-agent:previous before every build.

9. Incident response

  • On-call rota. Someone can systemctl --user stop rousseau-agent within your MTTR SLO.
  • Compromise playbook. Steps to: revoke the LLM API key, revoke the transport token (e.g. Slack bot re-install), snapshot the session store, image the container filesystem, unlink WhatsApp device.
  • Security disclosure channel. Read SECURITY.md in the rousseau-agent repo for the coordinated disclosure address.
  • SLO for security fixes. Track CVEs against the pinned rousseau version. govulncheck in make check catches known Go stdlib and dependency issues.

10. Compliance mapping

  • SOC 2 evidence. SLSA-3 provenance + cosign + SBOM covers CC7.1 (system operations). Approver logs cover CC7.2.
  • ISO 27001 A.12 Operations Security. Approval policies + workspace scoping + audit logs.
  • OWASP LLM Top-10. Rousseau does not attest to LLM Top-10 today — this is a roadmap item. Document your compensating controls (approver + container) in your audit.

Sign-off template

The below is a lightweight template your platform team can copy into a runbook:

Rousseau-agent deployment sign-off
=================================
Version: <tag>            (verified via cosign / SLSA verifier)
Provider: <anthropic|bedrock|vertex|openai>
Transports enabled: <list>
Approver mode: pattern
Approver default: deny
Log destination: <Loki / Datadog / etc>
Backup destination: <s3://... / restic repo>
On-call: <team>
Security disclosure: <internal address>

Related

Type to search 150+ pages. Ranking: BM25 with title/description boost.