codeGROOVE-dev
diff --git a/‎README.md‎
Lines changed: 57 additions & 66 deletions b/‎README.md‎
Lines changed: 57 additions & 66 deletions
diff --git a/‎cmd/agent/executeCommand.go‎
Lines changed: 14 additions & 15 deletions b/‎cmd/agent/executeCommand.go‎
Lines changed: 14 additions & 15 deletions
@@ -1,99 +1,90 @@
-# gitMDM: The MDM that isn't
+# gitMDM
 
-![gitMDM Logo](media/logo_small.png)
+Security-first compliance reporting that doesn't compromise your infrastructure.
 
-⚠️ **HIGHLY EXPERIMENTAL - MAY EAT YOUR CAT** ⚠️
+## The Problem
 
-## What
+Every MDM is a backdoor. They typically require root access and arbitrary remote code execution. They're incompatible with secure-by-default operating systems. Yet auditors require them for SOC 2.
 
-A "Mobile Device Management" solution that stores compliance data in Git. Built to pass SOC 2 without requiring a highly privileged RCE
+## The Solution
 
-## Why
+gitMDM proves compliance without compromising security:
+- **No arbitrary remote code execution** - Checks are compiled into the agent binary
+- **No privileged access** - Runs as a normal user
+- **No phone-home** - Your git repo, your endpoint, your control
+- **Works everywhere** - Including secure-by-default systems such as OpenBSD.
 
-Because real MDMs are backdoors with compliance features. This just generates the reports auditors want without the ability to actually control your devices.
-
-## Philosophy
-
-- **Can't manage devices** - Only reports on them
-- **Can't execute commands** - Read-only by design
-- **Can't phone home** - Your Git repo, your control
-- **Can't compromise systems** - No privileges, no access
-
-## Architecture
+## How It Works
 
 ```
-Device → Agent (reads) → Server (receives) → Git (stores) → Auditor ✅
+[Agent]                    [Server]                   [Git]
+Run compiled checks  →  Receive reports only  →  Immutable audit trail
 ```
 
-## Features
+The server **cannot** push commands. Ever. That's the point.
 
-Proves compliance without control:
-- Disk encryption status
-- Firewall configuration
-- User accounts
-- System updates
-- Screensaver locks
+## Quick Start
 
-## Cross Platform
+```bash
+# Server
+./gitmdm-server -git [email protected]:org/compliance.git -api-key SECRET
 
-We currently support:
+# Agent (checks compiled in from checks.yaml)
+./gitmdm-agent -server https://server:8080
+```
 
-* Linux
-* macOS
-* FreeBSD
-* OpenBSD
-* NetBSD
-* DragonFlyBSD
-* Solaris
-* illumos
-* Windows 11
+## What You Get
 
-gitMDM supports any architecture supported by the Go programming language: from riscv to ppc64.
+SOC 2 compliance evidence in git:
+```
+devices/laptop-alice/disk_encryption.json  ✓
+devices/laptop-alice/screen_lock.json      ✓
+devices/server-prod/firewall.json          ✓
+```
 
-## Installation
+Every check, every change, cryptographically signed and timestamped.
 
-```bash
-# Build
-make build
+## Supported Platforms
 
-# Server (pick one)
-./gitmdm-server -git https://github.com/you/compliance.git  # Clone & push
-./gitmdm-server -clone /path/to/repo                        # Use existing
+Linux, macOS, Windows, FreeBSD, OpenBSD, NetBSD, DragonFlyBSD, Solaris, illumos
 
-# Agent
-./gitmdm-agent -server http://your-server:8080
+## checks.yaml
 
-# Deploy
-echo "gitmdm-agent -server http://your-server:8080" | crontab -
+```yaml
+checks:
+  disk_encryption:
+    openbsd: "bioctl softraid0 | grep -q CRYPTO"
+    linux: "lsblk -o NAME,FSTYPE | grep -q crypto_LUKS"
+    darwin: "fdesetup status | grep -q 'On'"
 ```
 
-## GitHub Auth
-
-```bash
-# Use SSH (recommended)
-./gitmdm-server -git [email protected]:you/compliance.git
+Edit, compile, deploy. No runtime configuration files to tamper with.
 
-# Or GitHub CLI
-gh auth setup-git
-```
+## Security Guarantees
 
-## Configuration
+- Server compromise = read-only access to compliance reports
+- No arbitrary code execution, even with root on the server
+- Agent decides what runs based on compiled-in checks
+- Bash restricted mode when shell execution is needed
 
-Edit `checks.yaml` to define compliance checks. Default config satisfies most auditors.
+## Building
 
-## Security
-
-Traditional MDMs: Give someone your house keys to check if the door is locked.
-gitMDM: Someone photographs your locked door from across the street.
+```bash
+vim checks.yaml  # Define your compliance checks
+make build       # Compiles checks into binary
+```
 
-**Result**: Compliance without compromise.
+## FAQ
 
-**Note**: The server accepts reports without authentication by default. While this means anyone could submit false compliance data, they still can't access or control your actual devices. Enable API key authentication (`-api-key`) or use network-level controls if you need to verify report sources.
+**Q: Is this SOC 2 compliant?**
+A: It generates the reports auditors need. Without the backdoors.
 
-## Disclaimer
+**Q: What if we need to change checks?**
+A: Rebuild and redeploy. Immutability is a feature.
 
-This software proves compliance. It doesn't actually manage devices. That's the point.
+**Q: Why git?**
+A: Cryptographic proof, audit trail, existing tooling, no database.
 
 ---
 
-*Built with spite by someone who wanted to pass SOC 2 with OpenBSD.*
+*Built for organizations that refuse to compromise security for compliance.*
@@ -5,20 +5,19 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"gitmdm/internal/gitmdm"
 	"log"
 	"os/exec"
 	"strings"
 	"time"
-
-	"gitmdm/internal/types"
 )
 
 // executeCommandWithPipes executes a command and captures stdout/stderr separately.
 // SECURITY: Commands come from checks.yaml which must be controlled by the system admin.
 // Bash restricted mode (-r) prevents: cd, PATH changes, output redirection, running programs
 // with / in name. Complex shell operations (pipes, grep, awk) are still allowed by design
 // as they're needed for compliance checks. The agent runs with user privileges only.
-func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command string) types.Check {
+func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command string) gitmdm.Check {
 	start := time.Now()
 	ctx, cancel := context.WithTimeout(ctx, commandTimeout)
 	defer cancel()
@@ -44,8 +43,17 @@ func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command st
 	duration := time.Since(start)
 
 	// Limit output sizes
-	stdout := limitOutput(stdoutBuf.Bytes(), maxOutputSize)
-	stderr := limitOutput(stderrBuf.Bytes(), maxOutputSize)
+	stdoutBytes := stdoutBuf.Bytes()
+	stdout := string(stdoutBytes)
+	if len(stdoutBytes) > maxOutputSize {
+		stdout = string(stdoutBytes[:maxOutputSize]) + "\n[Output truncated to 10KB]..."
+	}
+
+	stderrBytes := stderrBuf.Bytes()
+	stderr := string(stderrBytes)
+	if len(stderrBytes) > maxOutputSize {
+		stderr = string(stderrBytes[:maxOutputSize]) + "\n[Output truncated to 10KB]..."
+	}
 
 	// Determine exit code
 	exitCode := 0
@@ -92,19 +100,10 @@ func (*Agent) executeCommandWithPipes(ctx context.Context, checkName, command st
 			duration, exitCode, len(stdout), len(stderr), command)
 	}
 
-	return types.Check{
+	return gitmdm.Check{
 		Command:  command,
 		Stdout:   stdout,
 		Stderr:   stderr,
 		ExitCode: exitCode,
 	}
 }
-
-// limitOutput truncates output if it exceeds maxSize.
-func limitOutput(data []byte, maxSize int) string {
-	if len(data) > maxSize {
-		truncated := data[:maxSize]
-		return string(truncated) + "\n[Output truncated to 10KB]..."
-	}
-	return string(data)
-}