eBPF kernel enforcement, hardware-anchored identity, and behavioral attestation chains for AI agent governance and surveillance visibility.
Every protocol in the modern stack assumes honesty. Devices declare their identity with a MAC address. BGP routers declare where traffic goes. Applications declare what they do with data. Firewalls, SIEMs, and access logs record what software reports — not what actually happened.
Every one of those assumptions is broken. MAC addresses are spoofed in milliseconds. BGP prefix hijacks reroute traffic through adversarial infrastructure. Applications exfiltrate data while reporting compliance. And now, AI agents — autonomous software that makes network requests on behalf of humans — operate with zero governance at the network layer.
The agent governance gap: An authenticated agent can be hijacked via prompt injection at any point in its lifecycle. A certificate proves who started an agent. It proves nothing about who is driving at mile 3. Sub-agents spawn sub-agents spawn sub-agents. Key management doesn't scale to agent velocity.
The current security model — firewalls, application-layer logging, identity certificates — operates where data can be manipulated before it's recorded. TunnelMind operates beneath all of it.
TunnelMind replaces trusted declarations with three cryptographic enforcement primitives, each operating at a layer that cannot be lied to by the layers above it.
Extended Berkeley Packet Filter programs attached to the Traffic Control subsystem on the WireGuard interface (wg0). Every packet is inspected at the kernel level before the operating system can report on it. Sub-microsecond decision latency. Cannot be bypassed by any userspace process, including a compromised agent.
Device certificates issued by a Vault PKI, rooted in hardware — TPM 2.0, iSIM/EID (GSMA SGP.02), or Apple Secure Enclave. The WireGuard public key is the device identity. The certificate proves the device, not just the key. MAC addresses, UDIDs, and software tokens are replaced entirely. Certificate structure follows IEEE 802.1AR (LDevID, 24-hour TTL, automatic rotation).
Every network event captured by the eBPF hook becomes a cryptographically signed, hash-linked record. SHA-256 event hashes are chained (each event references the previous hash), structured into a binary Merkle tree, and signed with Ed25519. Change any event and all subsequent hashes break. Tamper detection is mathematical, not policy-based.
The kernel enforcement program processes every packet through a 7-step pipeline in a single pass. No packet reaches userspace without being inspected, classified, and recorded.
TunnelMind replaces MAC-based authentication and software tokens with a four-tier hardware identity model. Each device is classified by the strongest cryptographic proof its hardware can produce. The WireGuard public key is bound to a hardware-anchored LDevID certificate (IEEE 802.1AR), rotated every 24 hours.
| Tier | Name | Hardware | Proof | Assurance |
|---|---|---|---|---|
| TIER 0 | OnDieSilicon | iSIM, EID (GSMA SGP.02) | Key generated on-die, never exported | Highest — physically impossible to extract |
| TIER 1 | DiscreteSecureElement | TPM 2.0, Android StrongBox | TPM2_Quote over PCRs, EK cert chain | High — discrete tamper-resistant module |
| TIER 2 | TrustedExecutionEnvironment | Intel TXT, ARM TrustZone, Apple SE | TEE attestation, DeviceCheck token | Moderate — firmware-isolated execution |
| TIER 3 | SoftwareOnly | ECDSA P-256 in process memory | Key binding check, signature verification | Lowest — policy decides enforcement |
Policy enforcement by trust tier: The eBPF policy map (LPM_TRIE) stores a minimum trust tier per destination prefix. A Tier 3 device can reach internal infrastructure. Reaching a regulated data jurisdiction requires Tier 1 or higher. This is enforced at the kernel level — no application can override it.
Identity certificates answer "who started this?" but cannot answer "what happened after?" — especially for AI agents that can be hijacked mid-session. TunnelMind's attestation layer records what happened, not who claimed to do it.
System prompt hashing, not logging: The agent's system prompt is stored as a SHA-256 hash — never the prompt text. This proves the prompt existed and was unchanged without leaking proprietary instructions.
A CISO asks: "Show me every packet my AI agents sent to a Chinese-controlled ASN in the last 30 days, prove cryptographically that none of them contained PII, and generate a signed report I can give to my auditor."
TunnelMind answers in under 10 seconds with hardware-anchored proof. That capability does not exist anywhere in the market today.
One click generates a signed ZIP archive verifiable by anyone with openssl and jq. No TunnelMind software is required for verification.
| File | Format | Contents |
|---|---|---|
| events.json | NDJSON | All events in range, one per line, machine-readable |
| chain_summary.json | JSON | Chain length, head hash, signing key ID, policy hash, time range |
| violations.json | JSON | VIOLATION and CRITICAL events only — the audit trail |
| verify.sh | Bash | Self-contained verification: hash integrity, Ed25519 sigs, chain linkage |
| signing_key.pem | PEM | Ed25519 public key for the signing period |
| README.txt | Text | Auditor instructions and field definitions |
13 rules ship out of the box. Hot-reloadable YAML — changes take effect within 5 seconds. The SHA-256 of the policy file is embedded in every attestation bundle.
| Rule | Verdict | Trigger |
|---|---|---|
| CRED-CRITICAL | BLOCK | Credentials sent to suspicious destination |
| AGENT-GOV-BLOCK | BLOCK | Agent → government-attributed infrastructure |
| EU-PII-BLOCK | BLOCK | PII sent to data broker — GDPR Art. 5 |
| EU-HEALTH-BLOCK | BLOCK | Health data — GDPR Art. 9 special category |
| CN-PII-BLOCK | BLOCK | PII or financial data → China jurisdiction |
| AGENT-SOURCECODE-AUDIT | AUDIT | Agent sending source code externally |
| SURVEILLANCE-WARN | WARN | Traffic to known surveillance actor |
| DATA-BROKER-WARN | WARN | Traffic to known data broker |
| DEFAULT-ALLOW | ALLOW | No rule matched — nominal traffic |
The consumer product inverts the surveillance equation. Every tracker, data broker, and fingerprinting script that watches a user is identified, attributed to its corporate parent, mapped to its regulatory jurisdiction, and assigned a dollar value estimate.
Every TunnelMind node — enterprise or consumer — passively observes BGP routing from its vantage point. These observations are cryptographically signed by the node's hardware identity and aggregated into a distributed dataset that answers questions no commercial dataset can.
The flywheel: Every consumer user is a sensor node. Their anonymized telemetry enriches the shadow BGP dataset that powers the enterprise intelligence layer. More enterprise value drives more investment. More investment funds more consumer features. Free product. Priceless dataset.
| Exclusion | Rationale |
|---|---|
| Agent identity certificates | A cert proves who started. It can't prove what happens after prompt injection. Behavior attestation scales. Identity doesn't. |
| Profile poisoning | Contradicts observation-only thesis. Degrades telemetry integrity. Creates legal surface area. |
| BGP route injection | Read-only observer. Never announces or modifies routes. Trust boundary and legal boundary. |
| Centralized data lakes | Telemetry stays at the node. Aggregation per control plane instance. Federated by design. |
| Cloud LLM inference | Local LLM only (Ollama + Mistral 7B). No data leaves the node for inference. |
| Standard | Application |
|---|---|
| IEEE 802.1AR-2018 | LDevID certificate structure. 24hr TTL. Hardware-anchored identity. |
| TCG TPM 2.0 §18.4 | TPM2_Quote for PCR attestation. AK never exported. |
| GSMA SGP.02 | eUICC/iSIM EID — Tier 0 identity. On-die key generation. |
| NIST SP 800-207 | Zero Trust Architecture principles for policy enforcement. |
| RFC 4271 (BGP-4) | Shadow BGP observation and AS path recording. |
| RFC 8210 (RTR) | RPKI validation for prefix origin verification. |
| NIST FIPS 186-5 | Ed25519 digital signatures on attestation events. |
| NIST PQC ML-KEM | Post-quantum key exchange readiness on WireGuard. |
| GDPR Art. 5, 9, Ch. V | Data processing, special categories, cross-border enforcement. |
Competitive moat: The shadow BGP dataset cannot be replicated without the deployed sensor network. The eBPF enforcement layer requires deep kernel networking expertise. The attestation chain architecture is patent-defensible. No current vendor operates at the kernel enforcement layer with hardware-anchored identity and cryptographic behavioral proof.