ML Defender (aRGus NDR)

Open-source, embedded-ML network detection and response system protecting critical infrastructure from ransomware and DDoS attacks.

📜 Living contracts: Protobuf schema · Pipeline configs · RAG API

---

✅ main is tagged v0.9.4-day160. DAY 161: DEBT-WIRE-PROTOCOL-TEST-001 CERRADA (6/6 tests LZ4 LE uint32_t). Jenkinsfile.dev+prod separados. test-e2e-live modo delta. Consejo 8/8. Branch feature/day161-cicd-pipeline pendiente EMECAS++ → merge → v0.9.5-day161. PRE-PRODUCTION: do not deploy in hospitals until ACRL (DEBT-PENTESTER-LOOP-001) is complete.

---

Estado actual — DAY 159 (2026-05-21)

Campo	Valor
DAY	161
Tag	v0.9.5-day161 (pendiente merge)
Branch	feature/day161-cicd-pipeline → EMECAS++ pendiente
EMECAS	✅ Verde DAY 160
Pipeline	6/6 RUNNING
EMECAS++	🟡 Pendiente en feature/day161-cicd-pipeline
Wire protocol	✅ DEBT-WIRE-PROTOCOL-TEST-001 — 6/6 tests
Jenkins	✅ 2.555.2 operacional (Java 21 Temurin)
Vault	✅ v2.0.1 dev mode — secret/argus/crypto
Próximo hito	DAY 162: DEBT-ARGUSPP-SURICATA-001 (ADR-048 F2)
Gate UEx/INCIBE	Datasets de valor científico (no deadline duro)

Tag activo: v0.9.3-day158 | Branch activa: main Keypair activo: b5b6cbdf67dad75cdd7e3169d837d1d6d4c938b720e34331f8a73f478ee85daa (regenera en cada EMECAS) Paper: arXiv:2604.04952 · Draft v24 local · v3 en arXiv Principio rector: calidad sobre fechas — los datasets se generan cuando el pipeline esté listo Principio rector: calidad sobre fechas — los datasets se generan cuando el pipeline esté listo

Pipeline

• 6/6 componentes RUNNING — validado EMECAS DAY 145 ✅
• make test-all: ALL TESTS COMPLETE (50/50 firewall · 3/3 etcd-server · 9/9 sniffer · 10/10 ml-detector · 8/8 rag-ingester · 1/1 argus-network-isolate) ✅
• make PROFILE=production all: Gate ODR — ALL COMPONENTS BUILT ✅
• make argus-network-isolate-test: dry-run PASSED ✅

Hitos DAY 157 🎉

• DEBT-AUTONOMY-STATE-PERSISTENCE-001 CERRADA — common/autonomy_state_writer.h header-only. Escritura atómica fsync+rename, firma Ed25519, lectura fail-safe (AUTONOMOUS expirado >24h → NORMAL). 9/9 tests RED→GREEN. Integrado en etcd-server STEP 0c.
• DEBT-BOOTSTRAP-STATUS-SIGNATURE-001 CERRADA — bootstrap-status.json firmado Ed25519. JSON canónico → crypto_sign_detached → signature_hex. Escritura atómica tmp→rename+fsync. Misma cadena de confianza que ADR-025.
• DEBT-KEYPAIR-LIFECYCLE-PROD-001 CERRADA — provision.sh generate_keypair(): ARGUS_ENV=prod sin keypair → exit 1. NUNCA genera silenciosamente en producción. 3 niveles: dev/staging=genera, prod=falla.
• DEBT-CRYPTO-RECONCILIATION-001 CERRADA + STALENESS GUARD (B1 post-Consejo) — AutonomySubscriber: shared_ptr<atomic<FirewallAutonomyMode>> + shared_ptr<atomic<int64_t>> (last_update_ns). poll_callback: si elapsed > staleness_timeout_sec → NORMAL + log. Previene firewall congelado si etcd-server muere silenciosamente. 9/9 tests (T9: staleness guard).
• Consejo 8/8 consultado — Dos bloqueantes identificados y resueltos antes del merge: B1 (staleness) + B2 (ExecStartPre= vs ExecStartPost= para fichero efímero, pendiente DAY 158).
• EMECAS DAY 157 VERDE — vagrant destroy → up → make bootstrap → make test-all — TODO VERDE.

Hitos DAY 156 🎉

• DEBT-AUTONOMY-CRYPTO-INTEGRATION-001 CERRADA — CryptoAutonomyStateMachine + AutonomyPublisher integrados en etcd-server/main.cpp. Health-check loop 5s dispara on_vault_unreachable/restored. FirewallAutonomyReactor + AutonomySubscriber integrados en firewall-acl-agent/main.cpp. AutonomyConfig.zmq_endpoint añadido a struct y parser. autonomy_publisher.h añadido al install target de CMake.
• Test B (unitario): 7/7 PASSED — CryptoAutonomyStateMachine + AutonomyPublisher via ZMQ real. T1-T7 incluyendo HealthCheckLoopSimulation.
• Test A (E2E): 4/4 PASSED — Pipeline Publisher→IPC→Subscriber→Reactor dry_run. VaultKoTriggersAutonomousMode, VaultRestoredLiftsAutonomousMode, FullCycleNormalAutonomousReconcileNormal, SubscriberRunsStableWithoutEvents.
• Fix ZMQ slow joiner — publisher debe hacer bind() ANTES de que cualquier subscriber conecte. Regla permanente para todos los pares PUB/SUB del proyecto.
• EMECAS DAY 156 VERDE — vagrant destroy → up → make bootstrap → make test-all — TODO VERDE. 50/50 firewall, 3/3 etcd-server, 9/9 sniffer, 10/10 ml-detector, 8/8 rag-ingester.
• ADR-046 PENDING-REVISION — Multi-Source Enriched Pipeline aRGus++. Tres condiciones para cierre: §Label leakage policy, §Deployment matrix RPi5 vs edge server, §8 datos empíricos o hipótesis.

Hitos DAY 155 🎉

• DEBT-FIREWALL-DENY-SELECTIVE-001 CERRADA — Cadena dedicada argus-autonomy: lo→ESTABLISHED→CIDRs→DROP→INPUT. whitelist_cidrs obligatorio desde firewall.json. AutonomyConfig + parse_autonomy() fail-fast. 12/12 tests. 49/49 firewall tests verdes.
• DEBT-AUTONOMY-ZMQ-EVENTS-001 CERRADA — AutonomyPublisher (common/) + AutonomySubscriber (firewall-acl-agent/). Topic argus.crypto.autonomy. Transport ipc:///run/argus/autonomy.sock. 4/4 + 6/6 tests PASSED.
• BACKLOG-ZMQ-TUNING-001 CERRADA — HWM + RECONNECT_IVL en todos los sockets ZMQ del proyecto. Prerequisito de BACKLOG-BENCHMARK-CAPACITY-001 satisfecho.
• DEBT-AUTONOMY-CRYPTO-INTEGRATION-001 registrada — Integración en etcd-server/main.cpp pendiente (P0 DAY 156). Consejo 6/8: etcd-server como proceso propietario.
• EMECAS HARDENED PASSED — -Werror + -O3 + -flto + producción limpio. AppArmor 6/6. Falco 11 reglas. BSR verificado. Tag v0.9.0-day155.

Hitos DAY 154 🎉

• ADR-045 VaultClient decomposition COMPLETA — ICryptoDeriver + HkdfCryptoDeriver (6 tests), IEtcdRegistrar + StubEtcdRegistrar (4 tests). VaultClient por composición con 4º ctor inyectable. 7 tests common/. v0.8.0-adr045.
• DEBT-FIREWALL-AUTONOMY-MODE-001 CERRADA — FirewallAutonomyReactor: AUTONOMOUS/DEGRADED → iptables -I INPUT 1 argus-autonomy-deny DROP, NORMAL → iptables -D INPUT. Executor inyectable (testable sin root). 6 tests. 48/48 firewall tests verdes.
• Fix EMECAS — crypto_deriver.h y etcd_registrar.h añadidos al install target. test_auto_isolate T6 corregido para -Werror en production build.
• Consejo 8/8 — ZMQ directo para señal autonomía (P0 DAY 155). Default-deny actual INCORRECTA para hospitales → DEBT-FIREWALL-DENY-SELECTIVE-001 P0 DAY 155.
• EMECAS: bootstrap ✅ | test-all ✅ | hardened-full ✅ | check-prod-all ✅.

Hitos DAY 149 🎉

• DEBT-PARQUET-SCHEMA-001 CERRADA — Schema Arrow v1.0: ml_detector_events (15 fields) + firewall_acl_events (7 fields). 207,122 filas / 53 días. Ratio 11-12x. make parquet-convert + make test-parquet en test-all. Tipos acordados Consejo 8/8.
• Vault dev mode + K_pseudo prototipo — Vault v2.0.0. HMAC-SHA256 determinismo OK, aislamiento OK, post-destroy irrecuperable. Evidencia técnica GDPR para Dr. Andrés Caro Lindo.
• Ansible + Jinja2 CI/CD pipeline — ansible/templates/*.json.j2, deploy_configs.yml. Ejecutado en VM: 9 OK, 3 changed, 0 failed. make deploy-configs.
• ADR-044 aprobado (Consejo 8/8) — Jenkins como entropy orchestrator. Vault autoridad criptográfica. common/vault_client C++20. Paths por familia. etcd barrera pre-arranque. Rotación manual FEDER. Edge nodes autónomos con cache TTL 72h.
• Abstract v24 — "architecturally complementary by design". PR #63.
• 5 PRs mergeados. Main en 81490fcb.

Hitos DAY 145 🎉

• ADR-029 Variant A vs B x86 — libpcap ~2× eBPF en VirtualBox virtio (artefacto SKB mode). Equivalencia funcional confirmada.
• Bootstrap múltiple — bootstrap-x86-ebpf + bootstrap-x86-libpcap. bootstrap = alias de A.
• pipeline-status distingue Variant A/B + detecta invariant violation.
• Relay targets — resumen inline por velocidad + rutas log + nota MTU en banner.
• Paper v19 — §6 ADR-029, §10.9, §11.17, §12, abstract actualizado.
• Failed packets (2,630): artefacto fijo pcap CTU-13 Neris — frames jumbo MTU VirtualBox. No son errores del pipeline.

Hitos DAY 146 🎉

• EMECAS verde — 4 deudas técnicas cerradas: DEBT-IRP-TMPFILES-001, DEBT-IRP-IPSET-TMP-001, DEBT-BOOTSTRAP-SNIFFER-VERIFY-001, DEBT-EMECAS-VERIFICATION-001.
• Experimento comparativo Suricata 6.0.10 vs aRGus NDR — CTU-13 Neris, mismas condiciones. Suricata: 0 alertas (ET Open no cubre Neris 2011). aRGus: F1=0.9985, Recall=1.0000.
• Makefile: make up-argus, make up-suricata, make halt-argus, make halt-suricata, make experiment-suricata-run/results.
• Paper Draft v20 generado — nueva §8.13 con comparativa directa, Tabla comparación actualizada con datos empíricos Suricata.
• Vagrantfile Suricata operativo — nictype1 virtio (fix crítico DHCP NAT), 50,010 reglas ET Open cargadas.

Hitos DAY 148 🎉

• Suricata offline validation — suricata -r neris.pcap -k none, 50,010 ET Open rules (251 IRC, 475 botnet/C2, 853 trojan). 323,154 paquetes. 0 firmas ET disparadas. 128 alertas internas de motor. Criterio de Kimi satisfecho — conclusión irrefutable.
• §8.13 paper — párrafo "Offline validation with full ruleset enforcement" insertado (DAY 148).
• §8.14 paper — framing taxonómico: "decision architecture taxonomies", "measurement layer", "telemetry platform", "Observability does not imply classification".
• §10 Future Work — 5 subsecciones completas: baremetal, corpus, acrl, hardened, Zeek Phase 2 (detect-botnets.zeek, Intel framework temporal limitation).
• Tabla §8.2 — fila Zeek 8.1.2 añadida (F1=0.042, Prec=1.000, Recall=0.022).
• Abstract v23 — tres paradigmas + complementariedad (Zeek telemetry + Suricata signatures + aRGus ML behavioral).
• arXiv replace v19→v23 — submitted como v3 (submit/7576269).
• DEBT-IRP-FLOAT-TYPES-001 CERRADA — IrpConfig::threat_score_threshold double→float. Parche IEEE 754 eliminado. EMECAS PROFILE=production ALL TESTS COMPLETE.
• fix(.gitignore) — excluir protocol-EMECAS-output-.md, docs/argus_ndr_v.pdf, docs/latex/*.zip. Untrack build symlinks.
• Tag: v0.7.1-day148.

Hitos DAY 147 🎉

• Bug fix pipeline-status — pgrep fallback para procesos huérfanos (tmux + pgrep OR). Commit 42c04b06.
• Búsqueda ruleset ET Open 2011 — no encontrado en fuentes públicas. Hallazgo clave: Neris CTU-13 escenario 42 usa HTTP C2, no solo IRC. Paper v21 §8.13 actualizado.
• Experimento Zeek 8.1.2 (tres paradigmas) — modo offline (zeek -r pcap), scripts por defecto, determinístico:
  • Suricata 6.0.10: F1=0.000, TP=0 (sin firmas para Neris 2011)
  • Zeek 8.1.2 (default): F1=0.042, Precision=1.000, TP=14 (SSL::Invalid_Server_Cert)
  • aRGus NDR: F1=0.9985, Recall=1.000, TP=646
• weird.log: Zeek observa IRC, HTTP beaconing, SMB lateral movement, spam — sin alertar. Distinción observabilidad vs detección.
• Paper Draft v21 — §8.13 hallazgos reales DAY 147 + Springer 2023 (signature aging).
• Paper Draft v22 — §8.14 Three Paradigms (tablas + análisis + §13 reproducibilidad Zeek).
• Makefile: make experiment-zeek-up/run/results. Infraestructura experiments/zeek-comparative/.
• Tag: v0.7.1-day147.

Hitos DAY 143-144 🎉

• DEBT-IRP-NFTABLES-001 CERRADA — IRP completo: config → disparo → fork()+execv() → AppArmor 7/7 enforce → 12/12 tests.
• DEBT-IRP-SIGCHLD-001 CERRADA — SA_NOCLDWAIT. SigchldTest.NoZombiesAfterNForks PASSED.
• DEBT-IRP-AUTOISO-FALSE-001 CERRADA — isolate.json única fuente de verdad. 5 tests PASSED.
• DEBT-IRP-BACKUP-DIR-001 CERRADA — /run/argus/irp/. AppArmor + provision.sh actualizados.
• Gate ODR production SUPERADO — 3 ODR violations reales detectadas y corregidas bajo -flto.

Deuda técnica abierta

Deuda	Prioridad	Target
DEBT-IRP-TMPFILES-001	✅ CERRADA DAY 146	tmpfiles.d + provision.sh
DEBT-IRP-IPSET-TMP-001	✅ CERRADA DAY 146	ipset_wrapper /run/argus/irp/
DEBT-EMECAS-VERIFICATION-001	✅ CERRADA DAY 146	README.md blockquote EMECAS
DEBT-IRP-FLOAT-TYPES-001	✅ CERRADA DAY 148	float consistente con Detection::confidence (protobuf)
DEBT-IRP-PROB-CONJUNTA-001	🟡 P1	post-FEDER (señal conjunta)
DEBT-ETCD-HA-QUORUM-001	🔴 P0	post-FEDER (OBLIGATORIO)
DEBT-IRP-QUEUE-PROCESSOR-001	🔴 Alta	post-merge
DEBT-JENKINS-SEED-DISTRIBUTION-001	🔴 Alta pre-FEDER	ADR-044 definido — implementación DAY 150+
DEBT-CRYPTO-MATERIAL-STORAGE-001	✅ CERRADA DAY 149	Vault dev mode + K_pseudo prototipo
DEBT-MUTEX-ROBUST-001	🟡 P1	post-FEDER
DEBT-PARQUET-TIMESTAMP-NS-001	🟡 P2	firewall-acl-agent ms→ns en origen
DEBT-ALERTING-EDGE-SOS-001	🔴 P1 pre-FEDER	SOS webhook edge→Discord/Telegram/email
DEBT-CRYPTO-STAMPEDE-001	✅ CERRADA DAY 150	Jitter implementado en vault_client.cpp
DEBT-CRYPTO-HEARTBEAT-001	🟡 P1	Heartbeat periódico etcd post-crypto_ready
DEBT-VAULT-HA-001	🟡 P1 post-FEDER	Vault HA backend raft para producción
DEBT-ADR040-001..012	⏳	post-FEDER
DEBT-ADR041-001..006	⏳	pre-FEDER

| DEBT-PARQUET-SCHEMA-001 | ✅ CERRADA DAY 149 | Schema Arrow v1.0, 207K filas, 11-12x | | DEBT-VAULT-FEDERATION-001 | 🟡 P1 pre-FEDER | Offboarding instalaciones: destrucción de claves, retención de datos GDPR | | DEBT-LEGAL-DATA-RETENTION-001 | 🟡 P1 pre-FEDER | Dictamen jurídico GDPR retención datos pseudonimizados post-cliente | | DEBT-KPSEUDO-ROTATION-MIGRATION-001 | 🟡 P1 pre-FEDER | Migración identidades Neo4j tras rotación K_pseudo | | DEBT-GDPR-ERASURE-001 | 🟡 P1 pre-FEDER | Flujo derecho al olvido Art. 17 GDPR — comando borrado firmado | | DEBT-CRYPTO-AUTONOMY-001 | 🔴 P1 pre-FEDER | Máquina de estados EXTENDED_AUTONOMY | | DEBT-FIREWALL-AUTONOMY-MODE-001 | ✅ CERRADA DAY 154 | FirewallAutonomyReactor | | DEBT-FIREWALL-DENY-SELECTIVE-001 | ✅ CERRADA DAY 155 | Cadena argus-autonomy selectiva, whitelist JSON | | DEBT-CRYPTO-RECONCILIATION-001 | ✅ CERRADA DAY 157 | shared_mode + staleness guard 30s, 9/9 tests | | DEBT-CRYPTO-CACHE-PERSISTENT-PROD-001 | 🟡 P1 pre-FEDER | Cache cifrada en prod edge (LUKS obligatorio) | | DEBT-EMECAS-DUAL-COMPILATION-001 | 🟡 P1 | CI compila ARGUS_VAULT_ENABLED=ON y OFF | | DEBT-CRYPTO-REVOCATION-LOCAL-001 | 🟡 P1 post-FEDER | Revocación offline sin Vault | | DEBT-LICENSE-VAULT-001 | ⏳ P2 post-FEDER | Servidor licencias en Vault (plugin system) | | DEBT-PLUGIN-ENTERPRISE-001 | ⏳ P2 post-FEDER | Definir plugins enterprise vs community | | DEBT-KPSEUDO-HKDF-HIERARCHY-001 | ⏳ P3 post-FEDER | Jerarquía HKDF para K_pseudo (host/flow/model desde K_root) |

Próxima frontera — DAY 158+

1. ✅ DEBT-AUTONOMY-CRYPTO-INTEGRATION-001 CERRADA DAY 156
2. ✅ DEBT-AUTONOMY-STATE-PERSISTENCE-001 CERRADA DAY 157
3. ✅ DEBT-BOOTSTRAP-STATUS-SIGNATURE-001 CERRADA DAY 157
4. ✅ DEBT-KEYPAIR-LIFECYCLE-PROD-001 CERRADA DAY 157
5. ✅ DEBT-CRYPTO-RECONCILIATION-001 CERRADA DAY 157 (staleness guard B1)
6. DEBT-BOOTSTRAP-STATUS-SIGNATURE-CONSUMERS-001 P2 — ExecStartPre= + check-bootstrap-status.sh. Verificar firma Ed25519 antes de iniciar componentes dependientes.
7. DEBT-CRYPTO-AUTONOMY-001 P2 — Máquina de estados EXTENDED_AUTONOMY completa en etcd-server.
8. DEBT-ALERTING-EDGE-SOS-001 P1 — Webhook SOS configurable por despliegue.
9. BACKLOG-BENCHMARK-CAPACITY-001 — Benchmarks sintéticos VirtualBox (baseline) + hardware físico FEDER.

---

🏗️ Tres variantes del pipeline

Variante	Estado	Descripción
aRGus-dev	✅ Activa (main)	x86-debug, imagen Vagrant completa. Para investigación y desarrollo diario.
aRGus-production	🟡 En construcción	x86-apparmor + arm64-apparmor. AppArmor enforce, cap_bpf, Falco, noexec. Para hospitales, escuelas, municipios.
aRGus-seL4	⏳ Research track post-FEDER	Kernel seL4, libpcap. Reescritura completa. Branch independiente.

---

📄 Preprint

arXiv: arXiv:2604.04952 [cs.CR] Published: 3 April 2026 · Draft v19 (ADR-029 Variant A vs B) · MIT license Code: https://github.com/alonsoir/argus

---

🎯 Mission

Democratize enterprise-grade cybersecurity for hospitals, schools, and small organizations that cannot afford commercial solutions.

Philosophy: Via Appia Quality — Systems built like Roman roads, designed to endure.

"Un escudo que aprende de su propia sombra."

---

📊 Validated Results

Metric	Value	Notes
F1-score (CTU-13 Neris)	0.9985	Stable across 4 replay runs
Precision	0.9969
Recall	1.0000	Zero missed attacks (FN=0)
Suricata 6.0.10 F1 (CTU-13 Neris)	0.000	0 alerts — ET Open rules retired for 2011 threats
Zeek 8.1.2 F1 (CTU-13 Neris, default)	0.042	Precision=1.000, 14 TP (SSL::Invalid_Server_Cert)
XGBoost Precision (CIC-IDS-2017 val)	0.9945	In-distribution, threshold=0.8211
XGBoost Wednesday OOD	Documented impossibility	Structural covariate shift — §8 paper
Inference latency (XGBoost)	1.986 µs/sample	Gate <2µs ✅
Inference latency (RF)	0.24–1.06 µs	Per-class, embedded C++20
Throughput ceiling (virtualized)	~33–38 Mbps	VirtualBox NIC limit, not pipeline
Stress test	2,374,845 packets — 0 drops	100 Mbps requested, loop=3
RAM (full pipeline)	~1.28 GB	Stable under load
BSR — Dev VM	719 pkgs / 5.9 GB	gcc, g++, clang, cmake present
BSR — Hardened VM	304 pkgs / 1.3 GB	NONE (check-prod-no-compiler: OK) ✅
AppArmor profiles	6/6 enforce	cap_bpf (Linux ≥5.8), no cap_sys_admin
Falco rules	11 aRGus-specific	modern_ebpf driver
Variant B tests	9/9 PASSED	DAY 142 — buffer=8MB verificado
ADR-029 Variant A eBPF (VBox)	~10 Mbps / 9,178 pps	DAY 145 — techo virtio SKB mode
ADR-029 Variant B libpcap (VBox)	~19 Mbps / 17,614 pps	DAY 145 — ~2× eBPF en virtio
IRP cycle	PASS	NORMAL→ISOLATED→ROLLBACK→NORMAL DAY 142

Nota ADR-029 — Failed packets (2,630): Artefacto fijo del pcap CTU-13 Neris. Frames jumbo que superan el MTU 1500 de VirtualBox (errno=90 EMSGSIZE). Conteo idéntico en los 6 runs — confirma origen en el fichero, no en el pipeline. El sniffer nunca ve esos frames. No son errores del pipeline.

---

🔒 Security Hardening — ADR-030 Variant A

Build/Runtime Separation (BSR) — ADR-039

Environment	Packages	Disk	Compilers
Dev VM	719	5.9 GB	gcc, g++, clang, cmake
Hardened VM	304	1.3 GB	NONE ✅

Linux Capabilities — no SUID root

Component	Capabilities
sniffer	cap_net_admin,cap_net_raw,cap_bpf,cap_ipc_lock
firewall-acl-agent	cap_net_admin
etcd-server	cap_ipc_lock (+ LimitMEMLOCK=16M)
argus-network-isolate	cap_net_admin (AppArmor enforce — DAY 143)
ml-detector, rag-ingester, rag-security	none

AppArmor — 6 profiles enforce · Falco — 11 aRGus-specific rules

---

🔧 Prerequisites

macOS

brew install --cask virtualbox
brew install --cask vagrant
xcode-select --install

Note: git clone --recurse-submodules is required. third_party/llama.cpp is a git submodule. Cloning without this flag leaves it empty and rag-security builds without LLM support. Use make submodule-init to fix an existing clone.

Linux (Debian/Ubuntu)

sudo apt-get update
sudo apt-get install -y make

VirtualBox from official repo (apt may be outdated):

wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo gpg --dearmor -o /usr/share/keyrings/oracle-virtualbox.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/oracle-virtualbox.gpg] https://download.virtualbox.org/virtualbox/debian $(lsb_release -cs) contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
sudo apt-get update && sudo apt-get install -y virtualbox-7.0

Vagrant:

wget -O - https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt-get update && sudo apt-get install -y vagrant

Linux (RHEL/Fedora/CentOS)

sudo dnf install -y make

VirtualBox:

sudo dnf install -y kernel-devel kernel-headers dkms
sudo dnf config-manager --add-repo https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo
sudo dnf install -y VirtualBox-7.0

Vagrant:

sudo dnf config-manager --add-repo https://rpm.releases.hashicorp.com/fedora/hashicorp.repo
sudo dnf install -y vagrant

Note: git clone --recurse-submodules is required. third_party/llama.cpp is a git submodule. Cloning without this flag leaves it empty and rag-security builds without LLM support. Use make submodule-init to fix an existing clone.

Note (RHEL/CentOS): VirtualBox requires Secure Boot to be disabled or the kernel module to be signed. On WSL2, VirtualBox is not supported — use a native Linux install.

Windows 11 (best-effort, not officially supported)

⚠️ aRGus NDR only produces Linux binaries (x86-64 and ARM64). There are no Windows binaries and none are planned. The pipeline runs inside a Linux VM — Windows is only the host.

Prerequisites:

winget install Git.Git
winget install Oracle.VirtualBox
winget install Hashicorp.Vagrant

Run all commands from Git Bash (not CMD or PowerShell — the Makefile requires bash syntax).

⚠️ Hyper-V conflict: Windows 11 enables Hyper-V by default for WSL2. VirtualBox 7.0+ has experimental Hyper-V support but with ~30% performance penalty. You must choose one of:

• Disable Hyper-V (loses WSL2): bcdedit /set hypervisorlaunchtype off + reboot
• Use VirtualBox 7.0+ in Hyper-V mode (slower, less stable)

Not tested by the maintainer. If you hit issues on Windows 11, please open an issue — we'll help with the resources we have.

---

🚀 Quick Start

⚠️ Vagrant is required. Native Linux bootstrap without Vagrant is not yet implemented (DEBT-NATIVE-LINUX-BOOTSTRAP-001). Running make directly on a bare Linux host will fail.

# STEP 1 — Clone with submodules (mandatory — llama.cpp is a git submodule)
git clone --recurse-submodules https://github.com/alonsoir/argus.git
cd argus

# Already cloned without --recurse-submodules? Fix it:
# make submodule-init

📦 TinyLlama model (tinyllama-1.1b-chat-v1.0.Q4_0.gguf, ~700MB) is downloaded automatically during vagrant up. It is gitignored and never committed to the repo.

# STEP 2 — Start VM and provision all dependencies (~20-30 min first time)
# Downloads TinyLlama, builds llama.cpp, installs FAISS/ONNX/XGBoost/libsodium
make up && make bootstrap

Workflow diario (REGLA EMECAS)

vagrant destroy -f && vagrant up && make bootstrap && make test-all

¿Por qué EMECAS? El protocolo garantiza reproducibilidad total: cada sesión parte de una VM limpia, claves criptográficas regeneradas, pipeline compilado desde cero y suite de tests completa. Un ❌ en cualquier punto es bloqueante — no se fusiona ni avanza trabajo hasta que make test-all termina con exit 0 y pipeline-status muestra 6/6 RUNNING. El sniffer puede tardar hasta 4 segundos en estabilizar su sesión tmux tras el arranque; si pipeline-status muestra ❌ sniffer inmediatamente después del bootstrap, esperar 5 segundos y repetir make pipeline-status antes de escalar.

Hardened VM (ADR-030 Variant A)

make hardened-full   # destroy → up → provision → build → deploy → check

---

🗺️ Roadmap

✅ DONE — DAY 146 (9 May 2026) — Suricata Comparative + Deudas 🎉

Task	Result
EMECAS verde	✅ 4 deudas cerradas
Experimento Suricata vs aRGus	✅ 0 alertas Suricata vs F1=0.9985 aRGus
Makefile up/halt-argus/suricata	✅ Topología dual
Paper Draft v20	✅ §8.13 + Tabla comparativa empírica

✅ DONE — DAY 145 (8 May 2026) — ADR-029 Variant A vs B 🎉

Task	Result
EMECAS ritual	✅ 65/65 PASSED
PCAP relay x86 eBPF (Variant A)	✅ ~10 Mbps, 320,524 pkts, exit=0
PCAP relay x86 libpcap (Variant B)	✅ ~19 Mbps, 320,524 pkts, exit=0
Merge feature/variant-b-libpcap → main	✅ v0.7.0-variant-b
Bootstrap múltiple (x86-ebpf / x86-libpcap)	✅ Makefile actualizado
Paper Draft v19	✅ §6 ADR-029, §10.9, §11.17, §12

✅ DONE — DAY 143-144 — IRP completo + ODR gate 🎉

• DEBT-IRP-NFTABLES-001 CERRADA — IRP completo, AppArmor 7/7 enforce, 12/12 tests
• DEBT-IRP-SIGCHLD-001 CERRADA — SA_NOCLDWAIT
• DEBT-IRP-AUTOISO-FALSE-001 CERRADA — isolate.json única fuente de verdad
• DEBT-IRP-BACKUP-DIR-001 CERRADA — /run/argus/irp/
• Gate ODR production PASSED — 3 violations reales corregidas bajo -flto

✅ DONE — DAY 138-142 — ADR-029 Variant B pipeline 🎉

• DEBT-CAPTURE-BACKEND-ISP-001 CERRADA — CaptureBackend 5 métodos puros
• DEBT-VARIANT-B-PCAP-IMPL-001 CERRADA — pipeline pcap → proto → LZ4 → ChaCha20 → ZMQ
• DEBT-VARIANT-B-BUFFER-SIZE-001 CERRADA — pcap_create()+pcap_set_buffer_size()
• DEBT-VARIANT-B-MUTEX-001 CERRADA (Nivel 1) — exclusión mutua via tmux
• Suite 9 tests Variant B — 9/9 PASSED

✅ DONE — DAY 137 (30 Apr 2026) — feature/variant-b-libpcap 🎉

• EMECAS dev + EMECAS hardened PASSED
• capture_backend.hpp · ebpf_backend.hpp/cpp · pcap_backend.hpp/cpp
• main_libpcap.cpp — Variant B sin #ifdef
• sniffer-libpcap compilable y arranca limpio

✅ DONE — DAY 135-136: v0.6.0 🎉

• make hardened-full EMECAS PASSED
• feature/adr030-variant-a → main MERGEADO
• Tag v0.9.3-day158-variant-a publicado
• arXiv replace v15 → v18 ENVIADO

✅ DONE — DAY 133-134: ADR-030 + ADR-040 + ADR-041 🎉

• AppArmor 6/6 enforce · Falco 10 reglas · cap_bpf · Paper v18
• ADR-040 ML Retraining Contract (8/8, 17 enmiendas)
• ADR-041 Hardware Acceptance Metrics FEDER (8/8)
• Pipeline E2E hardened · check-prod-all PASSED

✅ DONE — DAY 151 (14 May 2026) — ICryptoProvider + etcd-server STEP 0 🎉

Task	Result
ICryptoProvider interfaz abstracta (ADR-044)	✅ SeedFileProvider + VaultProvider + factoría
#ifdef ARGUS_VAULT_ENABLED confinado en crypto_provider.cpp	✅ único punto de decisión
libcrypto_provider.so instalada	✅ /usr/local/lib
test_crypto_provider_community 10/10	✅ fixture propio sin root
etcd-server STEP 0: bootstrap status + fingerprint	✅ 0079087736d9d62a...
Opción B SRP: SeedClient/CryptoTransport ≠ ICryptoProvider	✅ responsabilidades separadas
DEBT-BOOTSTRAP-STATUS-SIGNATURE-001 registrada	✅ P1 pre-FEDER
make test-all verde 55+ tests	✅ pipeline 6/6 RUNNING
ADR-045 aprobado (VaultClient por composición)	✅ Consejo 8/8

🔜 NEXT — DAY 149+ (secuencia confirmada Consejo 8/8)

Priority	Task
✅	DAY 149 — DEBT-PARQUET-SCHEMA-001: CERRADA. Schema Arrow v1.0, 207K filas, 11-12x
✅	DAY 149 — DEBT-CRYPTO-MATERIAL-STORAGE-001: CERRADA. Vault dev mode + K_pseudo prototipo
🔴 P0	DAY 150 — EMECAS + provision_crypto.sh + common/vault_client (ADR-044 implementación)
🟡 P1	DAY 153-155 — DEBT-JENKINS-SEED-DISTRIBUTION-001: CI/CD seed distribution
🟡 P1	DAY 156+ — feature/adr029-variant-c-arm64: solo si A+B+C verdes
🟡 P1	Esta semana — Email Dr. Andrés Caro Lindo: iniciar DEBT-LEGAL-DATA-RETENTION-001

🔜 THEN — PHASE 5: Adversarial Capture-Retrain Loop

• DEBT-PENTESTER-LOOP-001 — ACRL completo
• BACKLOG-FEDER-001 — presentación Andrés Caro Lindo
• aRGus-production ARM64
• aRGus-seL4 research branch (post-FEDER, equipo especializado)

---

🗺️ Milestones

• ✅ DAY 111: arXiv:2604.04952 PUBLICADO 🎉
• ✅ DAY 113: ADR-025 MERGED — v0.3.0-plugin-integrity 🎉
• ✅ DAY 118: PHASE 3 COMPLETADA — v0.4.0 🎉
• ✅ DAY 122: PHASE 4 COMPLETADA — v0.5.0-preproduction 🎉
• ✅ DAY 124: ADR-037 MERGED — v0.9.3-day158 🎉
• ✅ DAY 129: CWE-78 CERRADO — execv() sin shell 🎉
• ✅ DAY 130: REGLA EMECAS · libFuzzer 2.4M runs 🎉
• ✅ DAY 133: ADR-030 Variant A — cap_bpf · AppArmor 6/6 · Falco 10 reglas 🎉
• ✅ DAY 134: ADR-040 (8/8, 17 enmiendas) · ADR-041 FEDER HW Metrics (8/8) 🎉
• ✅ DAY 136: v0.9.3-day158-variant-a · merge main 🎉
• ✅ DAY 137: feature/variant-b-libpcap · sniffer-libpcap compilable · KISS 🎉
• ✅ DAY 138: ISP cerrado · pipeline Variant B completo · 8/8 tests · Consejo 8/8 🎉
• ✅ DAY 140: 192→0 warnings · -Werror activo · ODR limpio 🎉
• ✅ DAY 141: DEBT-VARIANT-B-CONFIG-001 · sniffer-libpcap.json · emails FEDER 🎉
• ✅ DAY 142: IRP pasos 1-6 · buffer=8MB · mutex Nivel 1 · Consejo 8/8 🎉
• ✅ DAY 143: DEBT-IRP-NFTABLES-001 sesión 3/3 CERRADA — IRP completo · AppArmor 7/7 · 12 tests 🎉
• ✅ DAY 144: 3 deudas P0 IRP cerradas · Gate ODR production · 65/65 tests 🎉
• ✅ DAY 145: ADR-029 Variant A vs B x86 · libpcap ~2× eBPF en virtio · Bootstrap múltiple · Paper v19 · v0.7.0-variant-b 🎉
• ✅ DAY 146: Experimento Suricata comparativo · 0 alertas ET Open vs F1=0.9985 aRGus · Paper v20 §8.13 · v0.7.1-day146 🎉
• ✅ DAY 147: Experimento tres paradigmas (Suricata+Zeek+aRGus) · Paper v22 §8.14 · HTTP C2 hallazgo · weird.log behavioral profile · v0.7.1-day147 🎉
• ✅ DAY 147: ADR-0043 v4 ACEPTADO — Memoria Episódica Distribuida, Consejo 8/8, 4 versiones 🎉
• ✅ DAY 149: Schema Parquet Arrow v1.0 · Vault CI/CD pipeline · ADR-044 · Ansible+Jinja2 · 5 PRs · v0.7.2-day149 🎉
• ✅ DAY 150: ADR-044 implementación completa · provision_crypto.sh · vault_client C++20 · Jenkinsfile Provision Crypto · EMECAS verde 🎉
• ✅ DAY 154: ADR-045 VaultClient decomposition · DEBT-FIREWALL-AUTONOMY-MODE-001 CERRADA · 48/48 tests · v0.8.0-adr045 🎉
• ✅ DAY 155: DEBT-FIREWALL-DENY-SELECTIVE-001 · DEBT-AUTONOMY-ZMQ-EVENTS-001 · BACKLOG-ZMQ-TUNING-001 · 49/49 tests · EMECAS HARDENED PASSED · v0.9.0-day155 🎉
• ✅ DAY 161: DEBT-WIRE-PROTOCOL-TEST-001 · Jenkinsfile.dev+prod · test-e2e-live delta · Consejo 8/8 · v0.9.5-day161 (pendiente) 🎉
• ✅ DAY 160: DEBT-ENTERPRISE-PLUGIN-001 · libvault_provider.so 6/6 tests · Jenkins 2.555.2 + Vault v2.0.1 · ADR-048 Dataset Production Roadmap definido · v0.9.4-day160 🎉
• ✅ DAY 157: 4 deudas cerradas · Consejo 8/8 · Staleness guard · Keypair lifecycle prod · Bootstrap firmado · EMECAS VERDE · v0.9.2-day157 🎉
• ✅ DAY 156: DEBT-AUTONOMY-CRYPTO-INTEGRATION-001 · Test B 7/7 + Test A 4/4 · Fix ZMQ slow joiner · EMECAS VERDE 50/50 · v0.9.1-day156 🎉
• ✅ DAY 151: ICryptoProvider + SeedFileProvider + VaultProvider · etcd-server STEP 0 · ADR-045 aprobado · 55+ tests verdes · v0.8.0-day151 🎉
• ✅ DAY 148: Suricata offline irrefutable · Paper v23 · arXiv replace v3 · DEBT-IRP-FLOAT-TYPES-001 cerrada · v0.7.1-day148 🎉
• 🔜 DAY 146+: DEBT-IRP-TMPFILES-001 · DEBT-IRP-IPSET-TMP-001 · experiment-comparative · ARM64 scope

---

🧠 Consejo de Sabios — Multi-Model Peer Review

Claude (Anthropic) · Grok (xAI) · ChatGPT (OpenAI) · DeepSeek · Qwen (Alibaba) · Gemini (Google) · Kimi (Moonshot) · Mistral

Metodología: desacuerdo estructurado. Documentado en §6 del preprint.

---

Hardened Deployment (ADR-030 Variant A)

make hardened-full          # EMECAS sagrado — destroy → up → provision → build → deploy → check
make hardened-redeploy      # iteración rápida sin destroy
make prod-deploy-seeds      # deploy seeds explícito (nunca en EMECAS)
make check-prod-all         # 5/5 gates: BSR + AppArmor + cap_bpf + permissions + Falco

---

📄 License

MIT License — See LICENSE

Via Appia Quality 🏛️ — Built to last decades.