Releases: Protonk/PolicyWitness
Releases · Protonk/PolicyWitness
Release list
Fewer things are called preflight
Performance
policy-witness runno longer runs the unified-log deny scan on every run.
Thatlog showscan is archive-bound (~4 s on a large log store) and was the
dominant per-run cost — not the sandbox evaluation. New--no-log-capture
flag skips it: a small run drops ~5.6 s → ~0.08 s (~70×), and a full serial
corpus pass goes from ~49 min to ~1.4 min.- The host-side SBPL compile no longer runs on the happy path — only to
disambiguate anxpc_error. Removes a redundant compile (~13 s on the 25 KB
WebProcess profile).
Renamed — action required for callers
sbpl-preflight→sbpl-check(it's a host-side SBPL compile-check, not a
per-run preflight). Also: envelopekindsbpl_preflight→sbpl_check, and
the run-envelope fielddata.policy_preflight→data.policy_check.
Behavior
- A non-compiling SBPL policy now surfaces as
sandbox_apply_failed(from the
worker), not the old controllerbad_policyshort-circuit.bad_policyin a
run now comes only from the host's structural check (missingsbpl_source/
non-sbplformat).
Tests & internals
- Foundational tests now witness the effect, not the prediction/shape
(happy-path asserts the read succeeded; apply-isolation asserts
sandboxed_after_apply; smoke asserts the observed deny). - The menagerie now asserts the harness's emitted prediction +
drift, and a
new test exercisesdrift = trueend-to-end by steering the validator's
prediction — no live libsandbox bug required.
Migrating
- Binary:
Contents/MacOS/sbpl-preflight→sbpl-check. - Envelope readers:
data.policy_preflight→data.policy_check; toolkind
sbpl_preflight→sbpl_check. - Compile-error detection keyed on
bad_policyshould also accept
sandbox_apply_failed.
Artifact: PolicyWitness-2.2.0.zip — signed, notarized, and stapled
(Developer ID; spctl accepted). Build CFBundleVersion 4.
EPERM enemy
Fixes a runner failure when sandbox_apply is disallowed (message-filter content and the like) and expands tests to include this case.
All-terrain vehicle
A new c worker allows us to manage version 2 and 3 profiles even with strict deny-default rules.
Attempt kinds are supplied for some common resources (e.g. file operations) and extendibility to other attempt kinds is offered.
Security, what a thing!
Make sure that you can only access the runner with debug attachments via the CLI, probably.
Too many things are called preflight
- Added a new host‑side SBPL preflight helper that compiles SBPL and emits a JSON envelope: controller/src/bin/sbpl-preflight.rs.
- Wired preflight into the controller run flow with fast‑fail on SBPL compile errors and extra diagnostics on XPC errors, plus new output fields: controller/src/run_flow.rs.
- Added preflight integration plumbing and documentation: controller/src/policy_preflight.rs, controller/src/main.rs, controller/Cargo.toml, controller/README.md, tests/build-evidence.py.
- Updated the build to build/copy/sign the new helper inside the app bundle: build.sh.
- Added signing guidance reminders for embedded helpers: AGENTS.md, SIGNING.md.
- Removed the unused runner selector helper and adjusted the test accordingly: controller/src/runner_select.rs.
Unification
Unified into a single runner with JSON output. End to end tests added to validated runtime witness. External "BYOSig" routine available for entitlement based restrictions.
new name, new me
- Renamed the distributable from EntitlementJail.app to PolicyWitness.app and the primary launcher from
entitlement-jail to policy-witness (no backward-compatibility shims). - Reset JSON envelope/witness schema_version values to 1 across Rust/Swift emitters, fixtures, and smoke
assertions.