This repository implements the Containment Surface layer of the ThreadForge platform.
ThreadForge is an identity-first runtime architecture for securely executing distributed services and AI agents using workload identity and policy-driven communication boundaries.
Platform architecture reference: https://github.com/computeaholic/threadforge-reference-architecture
Minimal containment slice extracted from ThreadForge for deterministic validation of the current containment surface.
The Containment Surface layer enforces explicit authorization boundaries between workloads.
It validates that communication between services is constrained by identity-aware policy rather than network reachability.
This layer demonstrates how workload identity and authorization policy combine to prevent unauthorized service access and lateral movement.
scripts/redteam/— manual redteam harness for containment verificationtools/containment_audit.py— containment verification utility- Digest/governance policy subset under
deploy/base/policy/ - Optional policy mirrors under
gitops/infra/policy/ - Canonical documentation snapshot under
CANONICAL/
make containment-audit
bash scripts/redteam/00_preflight.sh
bash scripts/redteam/05_supplychain_guard.shExpected Success Indicators
The containment validation process should produce:
containment_claim=true [PASS] Preflight complete [PASS] Supply-chain guard checks complete
These checks confirm that containment policies are active and functioning in the current environment.
Notes
No cluster manifests are changed by this repository setup step.
This repository claims only what the commands above can verify in the current environment.
The goal is deterministic validation of the current containment policy surface rather than provisioning infrastructure.