pre-alpha
Security and trust.
Riposte is an authorized-use-only tool. The safety architecture and the no-telemetry stance are the point, not a disclaimer. Every claim below survives a git clone: the code is in the repo.
The safety architecture.
Safety is not a setting you can forget to enable. It is the spine the rest of the tool hangs from. Each control fails closed: if it cannot run, Riposte does not act.
Signed Rules-of-Engagement
Every run is bound to a signed ROE that names the authorized scope. No ROE, no run.
Deny-by-default scope check
Before every single action, the target is checked against the allowed scope. Anything not explicitly in scope is refused, not merely warned about.
Default-deny egress allowlist
Tool execution runs in a Docker sandbox with a default-deny egress allowlist. Without Docker there is no isolation yet, and scoped egress for active-tier live runs is unfinished. We state this plainly rather than imply an absolute.
Mandatory hash-chained audit log
Riposte refuses to run without a writable, hash-chained audit log. There is no quiet mode.
Global kill switch
A single switch halts all activity. It is meant to be reached for, not buried.
Tiered autonomy, passive by default.
Autonomy is a dial, and it starts at the bottom. The higher tiers are partly unwired, not merely switched off, so we describe each one by what it actually does today.
- tier 01live
Recon
Passive and low-touch reconnaissance against the authorized target. This is the default tier.
- tier 02live (reproduce only)
PoC
Reproduces an exploit and keeps the artifact. Live findings cap at confirmation = reproduced; the OAST oracle that would justify confirmed is not wired yet.
- tier 03gated (operator approval)
Exploit-with-approval
Active exploitation steps require an explicit operator approval per step. Scoped egress for active-tier live runs is still unfinished.
- tier 04off by default (partly unwired)
Autonomous
Unsupervised operation is off by default and the cognition spine that would drive it is not wired in. It has not run unsupervised, and we will not claim it has.
The hash-chained audit log.
Every action appends a record to a keyed hash-chained log. Each entry commits to the previous one, so a single altered or deleted line breaks the chain. You verify it yourself, offline, with one command.
$ riposte audit verify --log <dir>/audit.jsonl
OK (chain + anchor verified)The chain plus a separately stored anchor make the log tamper-evident: not impossible to alter, but impossible to alter without the verifier noticing.
No telemetry. There is nothing to disable.
Riposte ships no analytics, no phone-home, no crash reporter, no usage beacon. There is no telemetry module to turn off, because none exists. Run it against a local Ollama or LM Studio model and nothing leaves your machine. When you do point it at a hosted model provider, the only egress is your own model API calls, made with your own key, under your own account.
Adversarial review is the discipline.
Every slice was adversarially reviewed before it landed. These are real bugs that review caught in a security tool, each one found and fixed, the fix in the repo.
Percent-encoded-host scope bypass
A percent-encoded host could slip past the scope check. Found and fixed, fix is in the repo.
sqlmap fake-injection
A path that could report a fabricated injection without a real reproduction. Found and fixed, fix is in the repo.
hashcat plaintext leak
Cracked plaintext could leak into a log surface it should never reach. Found and fixed, fix is in the repo.
Homoglyph scope bypass
A homoglyph hostname could masquerade as an in-scope target. Found and fixed, fix is in the repo.
Divergent-path resume re-firing an exploit
A resumed run on a divergent path could re-fire an exploit it had already run. Found and fixed, fix is in the repo.
Compliance: a mapping, not an attestation.
Riposte ships a WSTG/ATT&CK to NIST 800-53 / 800-115 crosswalk so you can see which controls a detection touches. This is a mapping, not an attestation. It is not a SOC 2, PCI, or any other certification, and we do not claim one. Commercial compliance attestation is on the planned-not-available list, not here today.