Skip to content

docs(profile): refresh HawkinsOperations org README #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
raylee-hawkins merged 2 commits into from
Jun 4, 2026
Merged

docs(profile): refresh HawkinsOperations org README #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1125747
docs(profile): refresh org README from current proof routes
raylee-hawkins Jun 4, 2026
785b3e2
docs(profile): strengthen org README first-scan impact
raylee-hawkins Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 16 additions & 8 deletions profile/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

# HawkinsOperations

**HawkinsOperations is a governed AI Security Operations control plane. AI can draft security work; deterministic validation, proof records, and human review authorize claims.**
**HawkinsOperations is a governed AI Security Operations and detection engineering system. AI accelerates drafting, triage reasoning, case-packet support, documentation, and automation planning; deterministic validation, proof records, and human review decide what becomes operational truth.**

`CONTROLLED_TEST_VALIDATED` · `HO-DET-001` · `NOT_PUBLIC_SAFE` · `RENDERING_NOT_PROOF` · `HUMAN_REVIEW_REQUIRED`

Expand All @@ -16,17 +16,25 @@

---

## 10-second read
## What this shows now

- AI drafts security work.
- Deterministic validation, proof records, and human review authorize claims.
- Website/GitHub rendering is not proof.
HawkinsOperations is a governed detection engineering loop: source-controlled detection work, deterministic validation, platform contracts, proof records, reviewer releases, bounded runtime-candidate routing, and human-review gates. AI supports drafting, triage reasoning, case-packet support, documentation, and automation planning; it does not decide disposition, approve claims, promote proof, or close cases.

The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.
Green CI is evidence for the checked scope, not approval. Website and GitHub pages route reviewers; proof records and verifiers own the claim ceiling.

**Current proof snapshot:** HO-DET-001 has source and controlled-test validation within the current public ceiling, Proof Pack 001 is a bounded reviewer route, the proof-owned ledger records 4 cases and 0 public-safe runtime cases, and the reviewer metrics route records 49 detection activity / controlled validation fires, 106 validation cases, 8 proof records, and 31 blocked claims.
## Current strongest receipts

**Claim firewall:** runtime-active, signal-observed, production, SOCaaS, autonomous SOC, AI-approved disposition, analyst-approved disposition, and public-safe runtime claims remain blocked unless separately proven. Blocked claims are intentional controls, not failed features.
| Receipt | What is real today | Reviewer value | Boundary |
|---|---|---|---|
| [HO-DET-001 proof path](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | PowerShell EncodedCommand detection route mapped to ATT&CK T1059.001, with detection source, Splunk source, controlled validation, proof record, and public route. | Shows the full source -> validation -> platform contract -> proof -> rendering chain for one concrete detection. | Public ceiling remains `CONTROLLED_TEST_VALIDATED`; runtime, signal, production, and public-safe claims remain blocked. |
| [Proof Pack 001](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded reviewer release ZIP with SHA256 and verifier route for HO-DET-001. | Gives a reviewer one package to verify without private lab access. | Reviewer release only; not public-safe runtime proof. |
| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, and 31 blocked claims. | Reports progress without inflating proof or turning activity into case truth. | Activity fires are validation activity, not governed cases, runtime signals, or public-safe proof. |
| [Runtime Route Proof v1](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | Shows runtime-route preservation work without publishing raw private evidence. | `NOT_PUBLIC_SAFE`; not public runtime proof, production proof, or broad-ingestion proof. |
| [Six-repo authority model](../architecture/REPO_AUTHORITY_MAP.md) | Detections own source, validation owns behavior, platform owns contracts, proof owns claim ceilings, website renders, and `.github` routes. | Makes the system reviewable without allowing one repo or page to claim another truth surface. | Rendering is not proof; router surfaces do not authorize claims. |

## What remains blocked

Runtime-active public proof, signal-observed public proof, public-safe runtime proof, production SOCaaS, customer deployment, live enterprise deployment, autonomous SOC, AI-decided disposition, AI-approved disposition, analyst-approved disposition, FortiSIEM integration proven, fleet-wide coverage, and production-ready SOC are not claimed here.

## HawkinsOperations Control Panel

Expand Down
36 changes: 24 additions & 12 deletions profile/START_HERE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,26 @@

Start here if reviewing HawkinsOperations.

HawkinsOperations is a governed AI Security Operations control plane. AI can draft security work; deterministic validation, proof records, and human review authorize claims.
HawkinsOperations is a governed AI Security Operations and detection engineering system built around source-controlled detection work, deterministic validation, platform contracts, proof records, reviewer releases, bounded runtime-candidate routing, and human-review gates.

The system separates detection source, validation, platform contracts, proof records, governance routing, and public rendering so public claims cannot outrun evidence.

- AI drafts security work.
- Validation, proof records, and human review authorize claims.
- AI is labor; governance is authority.
- AI can accelerate detection drafting, triage reasoning, case-packet support, documentation, and automation planning.
- AI does not decide disposition, approve claims, promote proof, or close cases.
- Validation, evidence records, proof boundaries, deterministic checks, and human review authorize operational truth.
- Green CI is evidence for the checked scope, not approval.
- Website/GitHub rendering is not proof.

Start with the receipts, then check the boundaries:

| First check | What it shows | Boundary |
|---|---|---|
| [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) | PowerShell EncodedCommand detection route, source, Splunk source, controlled validation, proof record, and public ceiling. | `CONTROLLED_TEST_VALIDATED`; runtime, signal, production, and public-safe claims remain blocked. |
| [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) | Bounded reviewer ZIP, SHA256, and verifier route for HO-DET-001. | Reviewer release only; not public-safe runtime proof. |
| [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) | 4 governed cases, 49 controlled validation activity fires, 106 validation cases, 8 proof records, 31 blocked claims. | Activity fires are validation activity, not governed cases, runtime signals, or public-safe proof. |
| [Runtime Route Proof v1 reviewer map](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/maps/RUNTIME-ROUTE-PROOF-V1-REVIEWER-MAP.md) | Private-candidate Wazuh -> Cribl -> Splunk route summary and prerelease. | `NOT_PUBLIC_SAFE`; not public runtime proof, production proof, or broad-ingestion proof. |

The enterprise AI failure mode is that AI-generated output becomes a public claim, analyst conclusion, operational action, security disposition, or executive truth before evidence and human review authorize it. HawkinsOperations is built to prevent that promotion path.

Current public proof is intentionally bounded. Runtime-active, signal-observed, production, SOCaaS, autonomous SOC, AI-approved disposition, analyst-approved disposition, and public-safe runtime claims remain blocked unless separately proven. Blocked claims are a claim firewall, not failed features.
Expand Down Expand Up @@ -42,9 +54,17 @@ Public claims require reviewed wording, evidence linkage, stale review, and appr

## Reviewer Control Panel

### 30-second reviewer path

1. Open the [organization profile](./README.md) for the strongest current receipts.
2. Open the [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) and [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) to verify the flagship proof route and bounded reviewer release.
3. Open the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to see which repo owns source, validation, platform, proof, website rendering, and org routing.
4. Open the [Reviewer metrics summary](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/reviewer-metrics-pipeline-v1-summary.json) to verify bounded metrics without governed-case inflation.
5. Treat every website/GitHub page as routing unless the owning proof record supports the claim.

### 3-minute command-center path

1. Open the [organization profile](./README.md) to see the six-repo command center.
1. Complete the 30-second reviewer path above.
2. Open the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to confirm which repo owns each truth surface.
3. Open the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to confirm the current claim ceiling and blocked claims.
4. Open the [Proof Pack 001 Release](https://github.com/HawkinsOperations/hawkinsoperations-proof/releases/tag/hawkinsoperations-proof-pack-001) and [HO-DET-001 proof record](https://github.com/HawkinsOperations/hawkinsoperations-proof/blob/main/proof/records/HO-DET-001.md) for proof-owned claim boundaries.
Expand All @@ -61,14 +81,6 @@ Reviewer metrics boundary: the Lifetime Governed Cases number stays strict and c

Runtime Route Proof v1 private-candidate boundary: the proof repo routes a reviewer map and prerelease for one private controlled Wazuh -> Cribl -> Splunk marker summary. Claim ceiling remains `PRIVATE_RUNTIME_ROUTE_PROOF_V1_CANDIDATE_PRESERVED`; public-safe status remains `NOT_PUBLIC_SAFE`; Lifetime Governed Cases remains 4; `AI_DECIDED_DISPOSITION=false`.

### 30-second reviewer path

1. Start with the [organization profile](./README.md) for the system summary.
2. Use the [Repository Authority Map](../architecture/REPO_AUTHORITY_MAP.md) to see which repo owns each truth surface.
3. Use the [Control Status Matrix](../governance/CONTROL_STATUS_MATRIX.md) to separate report-only routing from controls that block, fail, or force correction.
4. Inspect [hawkinsoperations-proof](https://github.com/HawkinsOperations/hawkinsoperations-proof) for proof records and claim ceilings.
5. Follow source and validation links only inside their stated scope.

### 10-minute reviewer path

1. Complete the 3-minute command-center path above.
Expand Down
Loading