chore: demo hardening, spire-fork sync, overlay cleanup

Major changes:
- spire-fork: sync Go source (claims.go, plugin.go, client.go,
  attested_claims_extension.go) with compiled binaries — ensures
  fresh builds produce correct lah-bundle with
  workload-identity-agent-image-digest
- spire-overlay: removed — consolidated into spire-fork (PR #197)
- Demo scripts: improved test_agents.sh, test_control_plane.sh,
  test_integration.sh, test_onprem.sh reliability
- WASM plugin: updated Envoy filter for lah-bundle parsing
- Rust agent: geolocation_handler.rs improvements
- Proto: updated sovereignattestation.proto definitions
- Docs: added FAQ.md, CONTRIBUTING.md, LICENSE, SECURITY.md,
  demo screenshots, appendix tables
- CI: updated workflow, build scripts cleaned up

All integration tests pass on both demo hosts (10.1.0.10, 10.1.0.11).

Author: ramkri123

.github/workflows/ci.yml

@@ -149,9 +149,9 @@ jobs:
             - name: Build SPIRE Components
               timeout-minutes: 10
               run: |
-                  echo "=== Building SPIRE with Overlay ==="
+                  echo "=== Building SPIRE from spire-fork/ ==="
                   
-                  # Use SPIRE overlay build system instead of building from fork
+                  # Build SPIRE from the committed spire-fork/ source tree
                   if [ -f "build/spire-binaries/spire-server" ] && [ -f "build/spire-binaries/spire-agent" ]; then
                       echo "SPIRE binaries already exist."
                   else

.gitignore

@@ -111,3 +111,10 @@ build/spire-api-sdk/
 build/spire-binaries/
 build/BUILD_INFO.txt
 .spire-version
+
+# Environment files
+**/.env
+**/.env.local
+**/.env.*.local
+**/.envrc
+!**/.env.example

README.md

@@ -10,7 +10,7 @@ This transforms AI security from "Best-Effort" Zero-trust to **Privacy-First Ver
 ![Figure 1: AegisSovereignAI Architecture Summary](images/readme-arch-new-summary.svg)
 *Figure 1: AegisSovereignAI Architecture Summary - Bridging Infrastructure, Identity, and Governance.*
 
-**See the [Unified Identity Hybrid Cloud Proof of Concept (PoC) Guide](./hybrid-cloud-poc/README.md) for concrete use cases and detailed setup instructions.**
+**See the [Unified Identity Hybrid Cloud PoC](./hybrid-cloud-poc/README.md) — run `./run-demo.sh` to see the full trust chain in action (~7 min).**
 
 ## Enterprise Sovereign Use Cases (Focus: High-Security/Compliance Sectors e.g., Banking, Healthcare, Defense/Government)
 
@@ -88,7 +88,7 @@ Edge nodes are often in untrusted physical locations, making them vulnerable to
         *   **Data Minimization Proof:** Generates proofs validating that the dataset satisfies GDPR Data Minimization before entering the vector store.
     *   **System Prompt Integrity (Pre-Computed):** At deployment, we generate a permanent cryptographic proof that the AI System Prompt includes mandatory safety guardrails (e.g., SSN redaction) and excludes unauthorized directives. This ensures "Compliance-by-Design" without exposing the proprietary prompt text.
     *   **User Prompt Compliance (Batch & Purge):** User interactions are processed in real-time while a background process generates aggregated batch proofs. These proofs verify that no user prompts in a given window contained "jailbreak" commands or PII. Once the batch proof is successfully anchored to the enterprise audit log, the raw, high-liability prompts are purged from the system, permanently eliminating PII storage risk.
-    *   **AI Output Filtering (Batch & Purge):** AI model outputs are verified through real-time Data Loss Prevention (DLP) scanning and content safety checks before delivery. Batch proofs demonstrate that all outputs were properly filtered to prevent hallucinated PII leakage (e.g., fabricated SSNs). Raw outputs are purged after proof generation, ensuring zero retention of AI-generated sensitive data. See the [Privacy-Preserving Deep-Dive](./docs/auditor-privacy-preserving-deep-dive.md) for the complete three-track verification model.
+    *   **AI Output Filtering (Batch & Purge):** AI model outputs are verified through real-time Data Loss Prevention (DLP) scanning and content safety checks before delivery. Batch proofs demonstrate that all outputs were properly filtered to prevent hallucinated PII leakage (e.g., fabricated SSNs). Raw outputs are purged after proof generation, ensuring zero retention of AI-generated sensitive data. See the [Privacy-Preserving AI Governance](./docs/auditor-privacy-preserving-ai-governance.md) for the complete three-track verification model.
     *   **Effective Challenge Enablement (SR 11-7):** Provides cryptographically-verifiable **independent evidence** for model validators: proof of execution hardware, data provenance, and governance policy adherence. This enables "Effective Challenge" of third-party (vendor) AI models even when source code access is restricted—validators can verify the *execution environment* and *compliance state* without needing to inspect proprietary model internals.
      *   **Sovereign Tool Manifests (MCP Integration):** Uses Open Policy Agent (OPA) to filter the **Model Context Protocol (MCP)** `list_tools` response based on the agent's hardware-attested identity. This ensures agents only "discover" and execute tools they are explicitly hardware-authorized to use, creating a "Need-to-Know" environment for dynamic AI capabilities.
 
@@ -136,18 +136,17 @@ AegisSovereignAI is designed to be framework-agnostic, serving as a secure execu
 *   **[Auditor Guide](./docs/auditor.md)** - High-level overview of the attestation-linked evidence model covering the full AI lifecycle (Ingestion, Training, and Inference), verifiable geofencing (Reg-K), and identity binding. Includes the complete Evidence Bundle structure for regulatory reporting.
 *   **[Privacy-Preserving Geolocation (Layer 2)](./docs/auditor-privacy-preserving-geolocation.md)** - Technical deep-dive on **privacy-preserving geofencing** for Reg-K/GDPR compliance, including ZKP vs. other PETs comparison, multi-sensor fusion, and SVID geolocation claims.
 *   **[Privacy-Preserving AI Governance (Layer 3)](./docs/auditor-privacy-preserving-ai-governance.md)** - Technical walkthrough of the **Four-Track Layer 3 Governance Lifecycle** (Training, System Prompt, User Prompt, Output), Batch & Purge architecture, and modular Evidence Bundle verification.
-*   **[Threat Model: Unmanaged Device Security](./hybrid-cloud-poc/THREAT-MODEL-unmanaged-device.md)** - Analysis of **Infrastructure Blind Spots** on **BYOD/Unmanaged Devices**, detailing how AegisSovereignAI prevents location spoofing via hardware-rooted sensor fusion.
+*   **[Threat Model: Runtime Perception Gap](./hybrid-cloud-poc/THREAT-MODEL-runtime-perception-gap.md)** - Analysis of **Infrastructure Blind Spots**, detailing how AegisSovereignAI prevents location spoofing via hardware-rooted sensor fusion.
 *   **[Unified Identity Deep-Dive](./hybrid-cloud-poc/README-arch-sovereign-unified-identity.md)** - Detailed technical architecture of the SPIRE/Keylime identity fusion model.
 *   **[IETF WIMSE Draft](https://datatracker.ietf.org/doc/draft-lkspa-wimse-verifiable-geo-fence/)** - Our contribution to standardizing verifiable geo-fences in multi-system environments.
 
 ## Quickstart
 
 ```bash
-# Clone and bootstrap the PoC environment
+# Clone and run the full demo (~7 min)
 git clone https://github.com/lfedgeai/AegisSovereignAI.git
 cd AegisSovereignAI/hybrid-cloud-poc
-./install_prerequisites.sh
-python ci_test_runner.py
+./run-demo.sh
 ```
 
-See the [Unified Identity Hybrid Cloud PoC Guide](./hybrid-cloud-poc/README.md) for detailed setup instructions.
+See the [Unified Identity Hybrid Cloud PoC](./hybrid-cloud-poc/README.md) for details.

docs/SPIRE_DEV_WORKFLOW.md

@@ -6,7 +6,7 @@
 
 - Linux machine with TPM 2.0 hardware
 - SSH access to test machine
-- Clean checkout of the overlay branch
+- Clean checkout of the main branch
 
 ## Phase 1: Build Verification
 
@@ -19,7 +19,7 @@ cd <PROJECT_ROOT>
 git fetch origin
 git checkout <BRANCH_NAME>
 
-# Build SPIRE with overlay
+# Build SPIRE from spire-fork/
 ./scripts/spire-build.sh
 
 # Verify binaries
@@ -67,7 +67,7 @@ cd hybrid-cloud-poc
   --onprem-host <HOST>
 
 # This will:
-# 1. Build SPIRE with overlay
+# 1. Build SPIRE from spire-fork/
 # 2. Start SPIRE server
 # 3. Start SPIRE agents with TPM attestation
 # 4. Run Keylime verification
@@ -227,7 +227,7 @@ See attached: tpm-test-evidence.tar.gz
 
 ## Conclusion
 
-The SPIRE overlay system successfully performs hardware attestation
+The SPIRE fork-based build successfully performs hardware attestation
 on real TPM 2.0 hardware. Ready for upstream submission.
 ```
 
@@ -278,7 +278,7 @@ rm -rf build/
 go version  # Should be 1.21+
 
 # Install dependencies
-cd spire-overlay
+cd spire-fork
 go mod download
 ```
 

docs/TPM_TESTING_CHECKLIST.md

@@ -20,6 +20,7 @@
 **/*.bak
 **/*.bak.*
 **/*~
+**/*.orig
 
 # Log files
 **/*.log
@@ -53,3 +54,13 @@
 rust-keylime/target/
 *.rustc_info.json
 .future-incompat-report.json
+
+# Generated certificates and keys (runtime artifacts)
+*.pem
+*.key
+*.crt
+*.csr
+svid-dump/
+
+# Internal prep docs (not for open source)
+qa-cheatsheet.md