The consequential decisions behind protector — the why behind the code, not
just the what. New decisions get a new numbered file; superseded ones stay
(marked Superseded by NNNN).
Format: Michael Nygard's ADR style.
Copy 0000-template.md to start one.
| # | Decision | Status |
|---|---|---|
| 0001 | Async mitigation engine: propose / prove / respond, local-first | Accepted |
| 0002 | Change-driven incident loop: diff the cluster, prove the delta, manage the debt | Accepted |
| 0003 | Capability ports: depend on what a tool answers, not which tool it is | Accepted |
| 0004 | Graph representation: in-memory petgraph, rebuilt from observed state | Accepted |
| 0005 | Objectives are ATT&CK outcomes, not just secrets | Accepted |
| 0006 | Build the substrate; treat KubeHound/IceKube as catalogue and optional provider | Accepted |
| 0007 | Live network cuts are additive AdminNetworkPolicy Deny rules | Accepted |
| 0009 | Asymmetric action bar: live evidence acts, latent exposure proposes | Accepted (amended by 0011, 0013) |
| 0010 | Flannel actuator: quarantine the source with a default-deny NetworkPolicy | Accepted |
| 0011 | The model corroborates positively; operator access is out of scope, defended in depth | Superseded in part by 0013 |
| 0012 | Exposure is observed where possible, declared (annotation) where it can't be — tunnels | Accepted |
| 0013 | Proof winnows the search space; the model makes the exploitability call (positive gate + breach-relevance) | Accepted |
| 0014 | First-party behavioral telemetry via eBPF, behind a tool-agnostic port (potential vs actual) | Accepted |
See also ../VISION.md for the longer-form narrative this ADR realizes.