ADR-002: Karo System
| Status | Proposed |
|---|---|
| Date | December 2025 |
| Authors | Caro Maintainers |
| Supersedes | N/A |
| Related | ADR-001 (LLM Inference Architecture) |
Table of Contents
Section titled βTable of Contentsβ- Executive Summary
- Context and Problem Statement
- Decision Drivers
- System Mental Model
- Architecture Overview
- Node Architecture
- Distributed Mesh Architecture
- Data Flow and Schemas
- Access and Role Model
- Trust and Cryptography
- Security Considerations
- Future Direction
- Consequences
Executive Summary
Section titled βExecutive SummaryβThis document defines Caro as a distributed terminal intelligence system designed for air-gapped and closed internal networks. Caro evolves from a single-machine CLI tool into a cooperative node network that provides:
- Individual value: Personal terminal copilot with inference, safety checks, and usage insights
- Organizational value: Aggregate visibility into terminal behavior, security posture, and operational patterns
- Zero-egress architecture: No external network communication; all data stays within the trusted network
Core Tenets:
- Local-first, mesh-optional: Each node is fully functional standalone
- Air-gap compatible: Zero internet dependencies after deployment
- Privacy-preserving aggregation: Derived insights, not raw surveillance
- Cryptographic trust: End-to-end encrypted peer communication
- Role-aware visibility: Different views for individuals, admins, and security teams
Context and Problem Statement
Section titled βContext and Problem StatementβThe Evolution
Section titled βThe EvolutionβADR-001 established Caro as a local-first CLI tool for command generation. This ADR extends that vision to address organizational needs:
- Individual developers want terminal intelligence without data leaving their machine
- Security teams need visibility into terminal behavior patterns across the organization
- SRE/Ops teams want to understand operational workflows and detect anomalies
- Regulated environments require air-gap compatibility and data sovereignty
The Challenge
Section titled βThe ChallengeβDesign a system that:
- Provides immediate value on a single machine (no network required)
- Scales to organization-wide visibility when nodes are connected
- Operates entirely within closed networks (no external dependencies)
- Preserves individual privacy while enabling aggregate insights
- Requires no central infrastructure (no servers, databases, or cloud services)
Why Not Traditional Approaches?
Section titled βWhy Not Traditional Approaches?β| Approach | Why Not for Caro? |
|---|---|
| Centralized logging (Splunk, ELK) | Requires infrastructure, not air-gap friendly |
| Agent-based monitoring (Datadog) | Phones home, requires internet |
| SIEM systems | Heavy infrastructure, not terminal-focused |
| Shell history sync | Raw data, no intelligence, privacy concerns |
Decision Drivers
Section titled βDecision DriversβPrimary Drivers
Section titled βPrimary Driversβ- Air-Gap First: Must work in networks with zero internet connectivity
- No Central Infrastructure: No servers, databases, or coordination points required
- Privacy Gradient: Individual data stays local; only consented summaries are shared
- Standalone Value: Single node must be fully useful without mesh
- Cryptographic Security: All inter-node communication encrypted
Secondary Drivers
Section titled βSecondary Driversβ- Minimal resource footprint on individual machines
- Graceful degradation when nodes are unreachable
- Support for heterogeneous environments (macOS, Linux, various shells)
- Auditability of what data is shared
System Mental Model
Section titled βSystem Mental ModelβCaro operates as four simultaneous identities:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ CARO NODE IDENTITY ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββ ββ β TERMINAL β β LOCAL β β DISTRIBUTED β ββ β COPILOT β β OBSERVABILITY β β INTELLIGENCE β ββ β β β AGENT β β NODE β ββ β β’ NLβCommand β β β β β ββ β β’ Safety check β β β’ Shell historyβ β β’ Mesh participant β ββ β β’ Context help β β β’ Process watchβ β β’ Encrypted relay β ββ β β β β’ Usage patternsβ β β’ Aggregate views β ββ βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββββββ ββ ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β ZERO-EGRESS SECURITY SYSTEM βββ β βββ β β’ Never communicates outside internal network βββ β β’ All external model inference is local βββ β β’ Cryptographic identity per node βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββArchitecture Overview
Section titled βArchitecture OverviewβLayered System Design
Section titled βLayered System Designβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ PRESENTATION LAYER βββββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ€β CLI Interface β Local Dashboard β Mesh Dashboard ββ (Terminal) β (localhost:9237)β (Role-Based Views) βββββββββββββββββββββ΄βββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ APPLICATION LAYER βββββββββββββββββββββ¬βββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ€β Inference β Observation β Aggregation ββ Engine β Engine β Engine ββ (ADR-001) β β ββ β β’ Shell watcher β β’ Local summaries ββ β’ Command gen β β’ Process mon β β’ Cross-node queries ββ β’ Safety check β β’ Context track β β’ Pattern detection ββ β’ Risk assess β β’ Event log β β’ Anomaly alerts βββββββββββββββββββββ΄βββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DATA LAYER βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Local Storage β Mesh Communication ββ β’ SQLite event store β β’ Peer discovery ββ β’ Command history β β’ Encrypted channels ββ β’ Inference cache β β’ Summary exchange ββ β’ Configuration β β’ Query routing ββββββββββββββββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ PLATFORM LAYER βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β β’ Shell integration (bash, zsh, fish) ββ β’ Process observation (procfs, sysctl) ββ β’ Network stack (TCP/TLS internal only) ββ β’ Cryptographic primitives (ring, rustls) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββNode Architecture
Section titled βNode ArchitectureβSingle Node Components
Section titled βSingle Node Componentsβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ CARO NODE ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β CLI AGENT (Terminal) β ββ β caro "list all files modified today" β ββ β caro --explain "what does this awk command do?" β ββ β caro --history β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β BACKGROUND SERVICE β ββ β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β ββ β βShell Watcher β βProcess Mon β β Event Processor β β ββ β β β β β β β β ββ β ββ’ Hook into β ββ’ Track child β ββ’ Categorize events β β ββ β β shell β β processes β ββ’ Extract patterns β β ββ β ββ’ Capture β ββ’ Monitor β ββ’ Generate summaries β β ββ β β commands β β resources β ββ’ Detect anomalies β β ββ β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββββββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β LOCAL WEB SERVER β ββ β http://localhost:9237 β ββ β β’ Personal dashboard β ββ β β’ Usage analytics β ββ β β’ Mesh status (if connected) β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β LOCAL DATA STORE β ββ β ~/.local/share/caro/ β ββ β βββ events.db # SQLite event store β ββ β βββ config.toml # Node configuration β ββ β βββ identity.key # Node cryptographic identity β ββ β βββ cache/ # Inference & model cache β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββObservation Scope
Section titled βObservation ScopeβWhat a Caro node observes on its machine:
| Category | Data Collected | Purpose |
|---|---|---|
| Shell Commands | Command text, exit codes, duration | Usage patterns, failure analysis |
| Working Context | cwd, shell type, user, privileges | Context-aware assistance |
| Process Tree | Child processes of terminal | Understanding command effects |
| Caro Interactions | Generated commands, user prompts | Quality improvement, usage stats |
| Timestamps | When commands executed | Temporal patterns |
What a Caro node never collects:
- File contents (only paths if part of command)
- Network traffic or connections
- Keystrokes outside of commands
- Screen contents or clipboard
- Other applicationsβ data
Distributed Mesh Architecture
Section titled βDistributed Mesh ArchitectureβPeer-to-Peer Topology
Section titled βPeer-to-Peer Topologyβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ CARO MESH (Internal Network) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββ βββββββββββββ βββββββββββββ ββ β Node A ββββββββββΊβ Node B ββββββββββΊβ Node C β ββ β (Dev 1) β β (Dev 2) β β (SRE 1) β ββ βββββββ¬ββββββ βββββββ¬ββββββ βββββββ¬ββββββ ββ β β β ββ β βββββββββββββ β β ββ βββββΊβ Node D ββββββ β ββ β (Admin) ββββββββββββββββββββββββββββ ββ βββββββ¬ββββββ ββ β ββ βΌ ββ βββββββββββββββββ ββ β Node E β ββ β (CISO) β ββ β β ββ β Aggregate β ββ β Dashboard β ββ βββββββββββββββββ ββ ββ Legend: ββ ββββββββΊ Encrypted peer connection ββ All connections are bidirectional, E2E encrypted ββ No central server - any node can query the mesh ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββMesh Properties
Section titled βMesh Propertiesβ- Decentralized: No coordinator, leader, or central server
- Eventually Consistent: Summaries propagate through gossip
- Partition Tolerant: Nodes work independently if isolated
- Encrypted: All inter-node traffic uses TLS 1.3 with mutual auth
- Opt-In: Nodes choose what to share via sharing policies
Node Discovery
Section titled βNode DiscoveryβWithin closed networks, nodes discover each other via:
| Method | How It Works | Configuration |
|---|---|---|
| Static Config | Explicit list of peer addresses | peers = ["10.0.0.5:9238", "10.0.0.6:9238"] |
| Subnet Scan | Probe known port on subnet | discovery.subnet = "10.0.0.0/24" |
| mDNS/Bonjour | Multicast DNS service discovery | discovery.mdns = true |
| DNS-SD | DNS service records in internal DNS | discovery.dns_sd = "_caro._tcp.internal.corp" |
Default: Static config + optional mDNS (zero external dependencies).
Data Flow and Schemas
Section titled βData Flow and SchemasβData Categories
Section titled βData Categoriesβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ DATA CLASSIFICATION ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ LEVEL 0: RAW (Never leaves node) ββ βββ Full command text with arguments ββ βββ File paths and contents ββ βββ Environment variables ββ βββ User prompts to Caro ββ ββ LEVEL 1: SUMMARIZED (Shared with explicit consent) ββ βββ Command patterns (e.g., "git operations: 45/day") ββ βββ Tool usage frequencies ββ βββ Temporal patterns (e.g., "peak activity: 10-11am") ββ βββ Risk event counts (e.g., "3 high-risk commands blocked") ββ ββ LEVEL 2: AGGREGATED (Mesh-wide visibility) ββ βββ Organization-wide tool adoption ββ βββ Cross-team workflow patterns ββ βββ Anomaly detection signals ββ βββ Security posture metrics ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββCore Data Schemas
Section titled βCore Data SchemasβNode Identity
Section titled βNode Identityβ/// Cryptographic identity of a Caro nodestruct NodeIdentity { /// Ed25519 public key (32 bytes, base64 encoded) public_key: String,
/// Human-readable node name (optional) display_name: Option<String>,
/// Node capabilities and version capabilities: NodeCapabilities,
/// First seen timestamp (by this node) first_seen: DateTime<Utc>,
/// Trust level assigned by local policy trust_level: TrustLevel,}
struct NodeCapabilities { /// Protocol version protocol_version: u32,
/// Caro version caro_version: String,
/// Supported sharing levels supports_level1: bool, supports_level2: bool,
/// Whether node can serve aggregate queries can_aggregate: bool,}
enum TrustLevel { /// Not trusted, no data exchange Untrusted, /// Can receive our summaries ShareTo, /// Can query our summaries QueryFrom, /// Full bidirectional trust Peer, /// Can see all mesh data (admin/CISO) Supervisor,}Terminal Event
Section titled βTerminal Eventβ/// A single terminal event (Level 0 - never shared)struct TerminalEvent { /// Unique event ID id: Uuid,
/// When the command was executed timestamp: DateTime<Utc>,
/// The shell type shell: ShellType,
/// Full command text command: String,
/// Working directory cwd: PathBuf,
/// Exit code (if completed) exit_code: Option<i32>,
/// Duration in milliseconds duration_ms: Option<u64>,
/// Was this command generated by Caro? caro_generated: bool,
/// Safety assessment risk_level: RiskLevel,
/// Was user confirmation required? required_confirmation: bool,}
enum ShellType { Bash, Zsh, Fish, Sh, Other(String),}
enum RiskLevel { Safe, Moderate, High, Critical,}Node Summary (Level 1)
Section titled βNode Summary (Level 1)β/// Summarized data that can be shared with peersstruct NodeSummary { /// Summary period period: SummaryPeriod,
/// Node identity node_id: String, // Public key fingerprint
/// Command pattern statistics command_patterns: Vec<PatternStat>,
/// Tool usage frequencies tool_usage: HashMap<String, u32>,
/// Temporal activity pattern activity_pattern: ActivityPattern,
/// Safety statistics safety_stats: SafetyStats,
/// Generated at timestamp generated_at: DateTime<Utc>,
/// Cryptographic signature signature: String,}
struct SummaryPeriod { start: DateTime<Utc>, end: DateTime<Utc>, granularity: Granularity,}
enum Granularity { Hourly, Daily, Weekly,}
struct PatternStat { /// Pattern category (e.g., "git", "docker", "file-ops") category: String,
/// Count in period count: u32,
/// Average duration (ms) avg_duration_ms: u32,
/// Failure rate (0.0 - 1.0) failure_rate: f32,}
struct ActivityPattern { /// Commands per hour bucket (24 entries) hourly_distribution: [u32; 24],
/// Commands per day of week (7 entries) daily_distribution: [u32; 7],
/// Total commands in period total_commands: u32,
/// Unique command count unique_commands: u32,}
struct SafetyStats { /// Commands by risk level by_risk_level: HashMap<RiskLevel, u32>,
/// Blocked commands count blocked_count: u32,
/// User-confirmed risky commands confirmed_risky: u32,
/// Caro-generated commands caro_generated: u32,}Mesh Query
Section titled βMesh Queryβ/// Query sent to mesh for aggregate datastruct MeshQuery { /// Query ID for correlation query_id: Uuid,
/// Requesting node identity requester: String,
/// Query type query_type: QueryType,
/// Time range time_range: TimeRange,
/// Optional filters filters: Vec<QueryFilter>,
/// Signature proving identity signature: String,}
enum QueryType { /// Get aggregated tool usage across mesh ToolUsage,
/// Get safety posture metrics SafetyPosture,
/// Get activity patterns ActivityPatterns,
/// Get anomaly signals Anomalies,
/// Get node health status NodeHealth,}
struct QueryFilter { field: String, operator: FilterOp, value: String,}
enum FilterOp { Equals, Contains, GreaterThan, LessThan,}Mesh Response
Section titled βMesh Responseβ/// Response to a mesh querystruct MeshResponse { /// Correlation ID query_id: Uuid,
/// Responding node responder: String,
/// Response data (varies by query type) data: ResponseData,
/// Nodes that contributed to this response contributing_nodes: Vec<String>,
/// Response timestamp timestamp: DateTime<Utc>,
/// Signature signature: String,}
enum ResponseData { ToolUsage(AggregatedToolUsage), SafetyPosture(AggregatedSafetyPosture), ActivityPatterns(AggregatedActivityPatterns), Anomalies(Vec<AnomalySignal>), NodeHealth(Vec<NodeHealthStatus>),}Access and Role Model
Section titled βAccess and Role ModelβRole Hierarchy
Section titled βRole Hierarchyβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ROLE HIERARCHY ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β INDIVIDUAL CONTRIBUTOR β ββ β β’ Full access to own node data (Level 0-2) β ββ β β’ Personal dashboard β ββ β β’ Own usage analytics β ββ β β’ Controls what is shared β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β TEAM LEAD / SYSADMIN β ββ β β’ Level 1-2 data from team nodes (consented) β ββ β β’ Team aggregate dashboard β ββ β β’ Tool adoption metrics β ββ β β’ Cannot see raw commands β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β SECURITY TEAM / CISO β ββ β β’ Level 2 data from all nodes (by policy) β ββ β β’ Organization-wide security posture β ββ β β’ Anomaly detection dashboard β ββ β β’ Risk trend analysis β ββ β β’ Cannot see raw commands (only patterns) β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAccess Without Central Server
Section titled βAccess Without Central ServerβIn a serverless mesh, access is granted by:
- Direct Connection: User installs Caro on their machine, connects to mesh
- Query Routing: Their node routes queries through the mesh
- Policy Enforcement: Each responding node enforces its sharing policy
- Result Aggregation: Requesting node aggregates responses
ββββββββββββββββ Query βββββββββββββββββ CISO β ββββββββββββββββΊβ Node A ββ Node β β ββ β β (checks ββ β β policy: ββ β β CISO=allow) ββ βββββββββββββββββ β ββ β Level 2 data βββββββββββββββββ ββ β Query βββββββββββββββββ β ββββββββββββββββΊβ Node B ββ β β (policy: OK) ββ βββββββββββββββββ β ββ β Level 2 data βββββββββββββββββ ββ β Query βββββββββββββββββ β ββββββββββββββββΊβ Node C ββ β β (policy: ββ β β CISO=deny) ββ βββββββββββββββββ β ββ β ACCESS DENIED βββββββββββββββββ ββ Aggregate ββ A + B βββββββββββββββββSharing Policies
Section titled βSharing PoliciesβEach node defines its sharing policy:
[sharing]# What level of data to sharemax_level = 2 # 0=none, 1=summaries, 2=aggregated
# Who can query this node (by public key or role)[sharing.allow]peers = ["*"] # Allow all trusted peerssupervisors = ["fingerprint:abc123..."] # Specific CISO key
# What categories to share[sharing.categories]tool_usage = trueactivity_patterns = truesafety_stats = trueanomalies = true
# Explicit denials override allows[sharing.deny]# Don't share with untrusted nodesuntrusted = trueTrust and Cryptography
Section titled βTrust and CryptographyβCryptographic Primitives
Section titled βCryptographic Primitivesβ| Purpose | Algorithm | Implementation |
|---|---|---|
| Node Identity | Ed25519 | ring crate |
| Key Exchange | X25519 | ring crate |
| Transport | TLS 1.3 | rustls |
| Symmetric Encryption | ChaCha20-Poly1305 | ring crate |
| Hashing | BLAKE3 | blake3 crate |
| Key Derivation | HKDF-SHA256 | ring crate |
Identity Model
Section titled βIdentity Modelβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ NODE IDENTITY LIFECYCLE ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ 1. GENERATION (First Run) ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Ed25519 keypair generated β ββ β Private key stored: ~/.local/share/caro/identity.key β ββ β Public key = Node ID (base64: "caro:ed25519:Abc123...") β ββ β Fingerprint = BLAKE3(public_key)[0:8] (for display) β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββ 2. PEER INTRODUCTION ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Node A βββΊ "Hello, I am caro:ed25519:Abc123" β ββ β Node B βββΊ "Hello, I am caro:ed25519:Def456" β ββ β Both perform X25519 key agreement for session key β ββ β TLS 1.3 channel established with mutual authentication β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββ 3. TRUST ESTABLISHMENT ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Option A: Pre-shared trust (config file) β ββ β [peers.trusted] β ββ β "caro:ed25519:Def456" = { name = "Bob", role = "dev" }β ββ β β ββ β Option B: TOFU (Trust On First Use) with confirmation β ββ β "New peer detected: Def456. Trust? [y/N]" β ββ β β ββ β Option C: Certificate chain (enterprise deployment) β ββ β Organization root CA signs node certificates β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββ 4. KEY ROTATION ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ β Nodes can rotate keys while maintaining identity β ββ β Old key signs endorsement of new key β ββ β Grace period for peers to learn new key β ββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββTrust Domains
Section titled βTrust DomainsβFor enterprise deployment, trust can be scoped by domain:
[trust.domains]# Engineering teamengineering = { subnet = "10.0.1.0/24", role = "peer" }
# Security team (supervisor access)security = { subnet = "10.0.2.0/24", role = "supervisor" }
# External contractors (no mesh access)contractors = { subnet = "10.0.3.0/24", role = "untrusted" }Message Authentication
Section titled βMessage AuthenticationβAll inter-node messages are signed:
struct SignedMessage<T> { /// The payload payload: T,
/// Sender's node ID sender: String,
/// Timestamp (prevents replay) timestamp: DateTime<Utc>,
/// Nonce (prevents replay) nonce: [u8; 16],
/// Ed25519 signature over (payload || sender || timestamp || nonce) signature: [u8; 64],}Replay Protection
Section titled βReplay Protectionβ- Timestamps: Messages older than 5 minutes are rejected
- Nonces: Recent nonces are cached; duplicates rejected
- Sequence Numbers: Long-lived connections use monotonic sequence numbers
Security Considerations
Section titled βSecurity ConsiderationsβThreat Model
Section titled βThreat Modelβ| Threat | Mitigation |
|---|---|
| Network eavesdropping | TLS 1.3 encryption on all channels |
| Node impersonation | Ed25519 signatures on all messages |
| Replay attacks | Timestamps + nonces + sequence numbers |
| Unauthorized access | Role-based policies, cryptographic identity |
| Data exfiltration | No external network access, Level 0 never shared |
| Compromised node | Can only share its own data; cannot forge othersβ |
| Key compromise | Key rotation supported; revocation via trust removal |
Defense in Depth
Section titled βDefense in Depthβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ SECURITY LAYERS ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Layer 1: Network Isolation ββ βββ Caro only binds to internal interfaces ββ βββ Firewall rules can further restrict mesh ports ββ ββ Layer 2: Transport Security ββ βββ TLS 1.3 with mutual authentication ββ βββ Certificate pinning for known peers ββ ββ Layer 3: Message Security ββ βββ All messages signed by sender ββ βββ Replay protection via timestamp/nonce ββ ββ Layer 4: Access Control ββ βββ Role-based query permissions ββ βββ Per-node sharing policies ββ ββ Layer 5: Data Classification ββ βββ Level 0 data never leaves node ββ βββ Only derived/summarized data shared ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAudit Trail
Section titled βAudit TrailβEvery mesh operation is logged locally:
struct AuditEvent { timestamp: DateTime<Utc>, event_type: AuditEventType, peer: Option<String>, details: String, success: bool,}
enum AuditEventType { PeerConnected, PeerDisconnected, QueryReceived, QueryResponded, PolicyViolation, TrustChange, KeyRotation,}Future Direction
Section titled βFuture DirectionβShort-Term (6 months)
Section titled βShort-Term (6 months)β- Core Implementation: Background service, shell integration, local dashboard
- Peer Discovery: Static config, mDNS support
- Basic Mesh: Summary exchange between trusted peers
- CLI Dashboard:
caro dashboardopens local web UI
Medium-Term (12 months)
Section titled βMedium-Term (12 months)β- Aggregate Views: Cross-node query routing and aggregation
- Anomaly Detection: Pattern-based unusual activity detection
- Policy Engine: Fine-grained sharing controls
- Enterprise Deployment: Configuration management, certificate chain trust
Long-Term Vision
Section titled βLong-Term Visionβ- Reactive Agents: Real-time intervention for risky commands
- Continuous Learning: Organization-specific pattern learning
- Policy-Aware Inference: Commands aligned with internal standards
- Compliance Reporting: Automated security posture reports
Consequences
Section titled βConsequencesβPositive
Section titled βPositiveβ- Air-Gap Compatible: Works in most secure environments
- No Infrastructure: No servers to deploy or maintain
- Privacy Preserving: Raw data never leaves the machine
- Individually Useful: Full value even without mesh
- Cryptographically Secure: Strong authentication and encryption
- Auditable: Complete local audit trail
Negative
Section titled βNegativeβ- Complexity: Significant increase over single-node CLI
- Resource Usage: Background service consumes memory
- Network Configuration: Mesh requires network access between nodes
- Trust Management: Peer trust needs initial configuration
- Eventual Consistency: No real-time global view
- Discovery Reliability: mDNS may not work in all network environments
- Key Management: Lost identity keys require re-establishing trust
- Policy Drift: Nodes may have inconsistent sharing policies
- Query Performance: Large meshes may have slow aggregate queries
Mitigations
Section titled βMitigationsβ- Multiple Discovery Methods: Static config as reliable fallback
- Key Backup: Optional encrypted key backup
- Policy Templates: Organization-wide policy distribution
- Query Caching: Cache aggregate results with TTL
Appendix A: Protocol Wire Format
Section titled βAppendix A: Protocol Wire FormatβMessages between nodes use a simple framed format:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ Magic (4 bytes) β Version (2) β Length (4) β Type (2) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Payload (variable) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β Signature (64 bytes) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Magic: 0x4B41524F ("CARO")Version: Protocol version (currently 1)Length: Payload length in bytesType: Message type enumPayload: MessagePack-encoded message bodySignature: Ed25519 signature over (Version || Length || Type || Payload)Appendix B: Dashboard Mockups
Section titled βAppendix B: Dashboard MockupsβIndividual Dashboard
Section titled βIndividual Dashboardβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ CARO - Personal Terminal Intelligence localhost:9237 ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Today's Activity Command Categories ββ βββββββββββββββββ ββββββββββββββββββ ββ Commands: 127 ββββββββ git (45) ββ Caro-generated: 23 ββββββ docker (32) ββ Risky (blocked): 2 βββββ kubectl (28) ββ Avg duration: 1.2s βββ npm (15) ββ ββ other (7) ββ ββ Recent Commands (sanitized) ββ βββββββββββββββββββββββββββ ββ 10:32 | git commit -m "..." | β Safe ββ 10:31 | docker build . | β Safe ββ 10:28 | rm -rf node_modules/ | β Moderate (confirmed) ββ 10:25 | kubectl get pods | β Safe ββ ββ Mesh Status: Connected (4 peers) ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSecurity Dashboard (CISO View)
Section titled βSecurity Dashboard (CISO View)βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ CARO - Organization Security Posture ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€β ββ Mesh Health Risk Distribution ββ βββββββββββ βββββββββββββββββ ββ Nodes Online: 42/45 ββββββββββββ Safe (89%) ββ Last 24h Queries: 1,247 βββ Moderate (8%) ββ Avg Response: 45ms β High (2%) ββ β Critical (1%) ββ ββ Anomaly Signals (Last 7 Days) ββ βββββββββββββββββββββββββββββ ββ β Node eng-042: Unusual rm patterns (3 incidents) ββ β Subnet 10.0.3.x: High failure rate (15% vs 2% baseline) ββ β No privilege escalation attempts detected ββ ββ Tool Adoption Trends ββ ββββββββββββββββββββ ββ kubectl: β² 23% (security training impact?) ββ docker: β stable ββ legacy-script.sh: βΌ 45% (migration successful) ββ ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββAppendix C: Related Documents
Section titled βAppendix C: Related DocumentsβThis ADR was authored in December 2025 and represents the target architecture for Caro as a distributed terminal intelligence system. Implementation will proceed in phases as defined in the Future Direction section.