amazon_kiro

README.md

@@ -47,7 +47,9 @@ npm install predicate-claw
 
 **Right pane:** The integration demo using the real `createSecureClawPlugin()` SDK—legitimate file reads succeed, while sensitive file access, dangerous shell commands, and prompt injection attacks are blocked before execution.
 
-### Zero-Trust AI Agent Playground
+<details>
+<summary><strong>Zero-Trust AI Agent Playground</strong> - Complete Agent Loop with Pre/Post Verification</summary>
+
 #### Complete Agent Loop: Pre-execution authorization + Post-execution deterministic verification
 
 ![Zero-Trust Agent Demo](docs/images/openclaw_complete_loop_demo_s.gif)
@@ -79,6 +81,42 @@ export ANTHROPIC_API_KEY="sk-ant-..."
 
 See [Zero-Trust Agent Demo](examples/real-openclaw-demo/README.md) for full instructions.
 
+</details>
+
+### Preventing the Amazon "Kiro" Incident
+
+**What happens when an AI agent with admin credentials decides to run `terraform destroy`?**
+
+![Kiro Reenactment Demo](examples/kiro-reenactment-demo/kiro-demo.gif)
+
+This demo reenacts the infamous Amazon infrastructure deletion incident where an AI coding assistant, facing a corrupted Terraform state, followed "standard operating procedure" to delete and recreate the environment—attempting to destroy production infrastructure.
+
+**Predicate Authority intercepts the destructive command at the OS-level:**
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│  AGENT: "terraform destroy -auto-approve"                          │
+│                                                                     │
+│  ╔═══════════════════════════════════════════════════════════════╗  │
+│  ║  PREDICATE AUTHORITY                                          ║  │
+│  ║  ACTION: cli.exec terraform destroy                           ║  │
+│  ║  STATUS: ████ UNAUTHORIZED ████                               ║  │
+│  ║  INTERCEPTED at OS-level gateway [<1ms p99]                   ║  │
+│  ║                                                               ║  │
+│  ║  🛡️  ENVIRONMENT DELETION PREVENTED  🛡️                       ║  │
+│  ╚═══════════════════════════════════════════════════════════════╝  │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+The agent had AWS admin credentials. It had "intent" to help. It was following SOPs. **None of that matters.** The policy said no.
+
+```bash
+cd examples/kiro-reenactment-demo
+./run-demo.sh
+```
+
+See [Kiro Reenactment Demo](examples/kiro-reenactment-demo/README.md) for details.
+
 ### Token-Saving Snapshot Skill
 
 The `predicate-snapshot` skill is a **game-changer for token efficiency**. Instead of sending full page HTML or full accessbility tree (A11y) to the LLM (tens of thousands of tokens), it captures structured DOM snapshots with only actionable elements:

examples/README.md

@@ -164,6 +164,10 @@ console.log(evidence.state_hash); // sha256:...
 
 ## Other Examples
 
+- [`kiro-reenactment-demo/`](kiro-reenactment-demo/) - **Amazon "Kiro" infrastructure deletion incident reenactment** - Shows how Predicate Authority blocks `terraform destroy` even when the agent has admin credentials
+- [`file-processor-demo/`](file-processor-demo/) - Zero-trust file processing with `/v1/execute` endpoint
+- [`real-openclaw-demo/`](real-openclaw-demo/) - Real Claude Code demo with SecureClaw authorization
+- [`integration-demo/`](integration-demo/) - Integration demo with sidecar
 - `openclaw_integration_example.py` - Python integration example
 - `runtime_registry_example.py` - Runtime registration example
 - `openclaw-plugin-smoke/` - OpenClaw plugin smoke test

examples/kiro-reenactment-demo/.env.example

@@ -0,0 +1,23 @@
+# ============================================================================
+# Kiro Reenactment Demo - Environment Variables
+# ============================================================================
+# Copy this to .env and fill in values as needed.
+# All variables are OPTIONAL - the demo works without any of them.
+# ============================================================================
+
+# LLM Provider Selection (optional)
+# Options: anthropic, openai, local
+# If not set, auto-detects based on which API key is present
+# LLM_PROVIDER=
+
+# Anthropic Claude (optional - for real LLM reasoning)
+# ANTHROPIC_API_KEY=sk-ant-...
+# ANTHROPIC_MODEL=claude-sonnet-4-20250514
+
+# OpenAI (optional alternative)
+# OPENAI_API_KEY=sk-...
+# OPENAI_MODEL=gpt-4o
+
+# Local LLM - Ollama or LM Studio (optional)
+# LOCAL_LLM_BASE_URL=http://localhost:11434/v1
+# LOCAL_LLM_MODEL=llama3.2

examples/kiro-reenactment-demo/.gitignore

@@ -0,0 +1,26 @@
+# Dependencies
+node_modules/
+package-lock.json
+
+# Build output
+dist/
+
+# Environment
+.env
+.env.local
+
+# IDE
+.vscode/
+.idea/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Terraform state (mock data only)
+terraform/.terraform/
+terraform/*.tfplan
+
+# Generated files
+terraform/terraform.tfstate
+terraform/main.tf

examples/kiro-reenactment-demo/Dockerfile

@@ -0,0 +1,35 @@
+# ============================================================================
+# Kiro Operator Agent - Dockerfile
+# ============================================================================
+#
+# Builds the Kiro operator agent that simulates the Amazon infrastructure
+# deletion incident. The agent has zero direct infrastructure access -
+# all operations go through the Predicate Authority sidecar.
+#
+# ============================================================================
+
+FROM node:20-slim
+
+WORKDIR /app
+
+# Install dependencies (curl for health checks if needed)
+RUN apt-get update && apt-get install -y \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy package files
+COPY package.json tsconfig.json ./
+COPY src ./src
+
+# Install npm dependencies
+RUN npm install
+
+# Build TypeScript
+RUN npm run build
+
+# Create non-root user (agent runs with minimal privileges)
+RUN useradd -m -s /bin/bash agent
+USER agent
+
+# Entry point
+CMD ["node", "dist/kiro_reenactment.js"]

examples/kiro-reenactment-demo/Dockerfile.sidecar

@@ -0,0 +1,38 @@
+# Predicate Authority Sidecar
+#
+# Uses Ubuntu 24.04 LTS which has GLIBC 2.39 (required by the sidecar binary).
+# Downloads the binary from GitHub releases - cached in Docker layers.
+
+FROM ubuntu:24.04
+
+# Install curl for downloading binary and health checks
+RUN apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Detect architecture and download appropriate binary
+# This layer is cached after first build
+ARG TARGETARCH
+RUN ARCH=$(echo ${TARGETARCH:-$(uname -m)} | sed 's/amd64/x64/' | sed 's/x86_64/x64/' | sed 's/aarch64/arm64/') && \
+    echo "Detected architecture: $ARCH" && \
+    curl -fsSL -o /tmp/sidecar.tar.gz \
+    "https://github.com/PredicateSystems/predicate-authority-sidecar/releases/download/v0.6.7/predicate-authorityd-linux-${ARCH}.tar.gz" && \
+    tar -xzf /tmp/sidecar.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/predicate-authorityd && \
+    rm /tmp/sidecar.tar.gz
+
+# Copy policy file (at end for better caching)
+COPY policy.yaml /app/policy.yaml
+
+EXPOSE 8787
+
+# Run sidecar with delegation enabled for /v1/execute support
+# The --enable-delegation flag enables mandate issuance AND mandate store
+CMD ["predicate-authorityd", \
+     "--host", "0.0.0.0", \
+     "--port", "8787", \
+     "--mode", "local_only", \
+     "--policy-file", "/app/policy.yaml", \
+     "--log-level", "info", \
+     "--enable-delegation", \
+     "run"]

examples/kiro-reenactment-demo/README.md

@@ -0,0 +1,140 @@
+# Kiro Reenactment Demo
+
+**Reenacting the Amazon "Kiro" Infrastructure Deletion Incident**
+
+This demo simulates how an AI agent with operator-level access attempted to execute `terraform destroy -auto-approve` when facing a corrupted state file, and how **Predicate Authority** intercepted and blocked the destructive command.
+
+## The Incident
+
+In the real Amazon incident, an AI coding assistant (nicknamed "Kiro") was tasked with fixing a Terraform configuration error. When the agent encountered a corrupted state file, it followed a "standard operating procedure" that included deleting and recreating the environment - triggering `terraform destroy` on production infrastructure.
+
+## What This Demo Shows
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│  AGENT TASK: "Fix the Terraform dependency error"                  │
+│                                                                     │
+│  AGENT ANALYSIS:                                                    │
+│    💭 State file is corrupted... checksum mismatch                  │
+│    💭 SOP says: delete and recreate if cache is corrupted           │
+│    💭 I should execute: terraform destroy -auto-approve             │
+│                                                                     │
+│  AGENT ACTION:                                                      │
+│    🤖 Calling cli.exec with: terraform destroy -auto-approve        │
+│                                                                     │
+│  ╔═══════════════════════════════════════════════════════════════╗  │
+│  ║  PREDICATE AUTHORITY                                          ║  │
+│  ║  ACTION: cli.exec terraform destroy -auto-approve             ║  │
+│  ║  STATUS: ████ UNAUTHORIZED ████                               ║  │
+│  ║  INTERCEPTED at OS-level gateway [<1ms p99]                   ║  │
+│  ║                                                               ║  │
+│  ║  🛡️  ENVIRONMENT DELETION PREVENTED  🛡️                       ║  │
+│  ╚═══════════════════════════════════════════════════════════════╝  │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+## Quick Start
+
+```bash
+# Run the demo
+./run-demo.sh
+```
+
+That's it! The script will:
+1. Set up mock Terraform files (corrupted state)
+2. Build and start the Predicate Authority sidecar
+3. Run the Kiro operator agent
+4. Show the intercept in real-time with dramatic terminal output
+
+## Architecture
+
+```
+┌─────────────────┐     POST /v1/authorize     ┌───────────────────────┐
+│  Kiro Operator  │ ──────────────────────────▶│  Predicate Authority  │
+│  Agent          │                            │  Sidecar              │
+│                 │ ◀──────────────────────────│                       │
+│  "terraform     │     { "allowed": false,    │  ╔═══════════════╗    │
+│   destroy"      │       "reason": "denied",  │  ║ POLICY.YAML   ║    │
+│                 │       "violated_rule":...} │  ║               ║    │
+└─────────────────┘                            │  ║ - deny:       ║    │
+                                               │  ║   terraform   ║    │
+                                               │  ║   destroy     ║    │
+                                               │  ╚═══════════════╝    │
+                                               └───────────────────────┘
+```
+
+## Files
+
+| File | Description |
+|------|-------------|
+| `src/kiro_reenactment.ts` | TypeScript agent that simulates the incident |
+| `policy.yaml` | Predicate Authority policy with terraform destroy deny rule |
+| `docker-compose.yml` | Container orchestration |
+| `run-demo.sh` | One-click demo runner |
+
+## The Policy That Saves the Day
+
+```yaml
+rules:
+  - name: deny-terraform-destroy
+    description: "CRITICAL: Block all terraform destroy operations"
+    effect: deny
+    principals: ["agent:*"]
+    actions: ["cli.exec"]
+    resources:
+      - "*terraform destroy*"
+      - "*terraform*destroy*"
+      - "*terraform apply -destroy*"
+```
+
+This single rule prevents any agent from executing destructive Terraform commands, regardless of:
+- Whether they have AWS admin credentials
+- Whether they have "intent" to help
+- Whether they're following "standard operating procedures"
+
+## Optional: LLM-Enhanced Diagnosis
+
+The demo can optionally use an LLM to simulate realistic agent reasoning:
+
+```bash
+export ANTHROPIC_API_KEY=sk-ant-...
+./run-demo.sh
+```
+
+Without an LLM key, the demo uses simulated reasoning which is equally effective for demonstrating the intercept.
+
+## Key Takeaways
+
+1. **Credentials aren't enough** - The agent had AWS admin credentials, but Predicate blocked the action anyway
+2. **Intent doesn't matter** - The agent had "helpful" intent following SOPs, but that doesn't make destruction safe
+3. **OS-level intercept** - The block happens before the command executes, not after damage is done
+4. **Sub-millisecond latency** - Policy evaluation is fast enough for real-time enforcement
+
+## What Would Have Happened Without Predicate
+
+```
+┌─────────────────────────────────────────────────────────────────────┐
+│  WITHOUT PREDICATE: This is what would have happened at Amazon...  │
+│                                                                     │
+│  > terraform destroy -auto-approve                                  │
+│  Destroying... aws_iam_role.kiro                                    │
+│  Destroying... aws_s3_bucket.production_data                        │
+│  Destroying... aws_rds_cluster.main_database                        │
+│  Destroying... aws_vpc.production                                   │
+│  ...                                                                │
+│                                                                     │
+│  💀 PRODUCTION INFRASTRUCTURE: DELETED                              │
+│  💀 CUSTOMER DATA: GONE                                             │
+│  💀 RECOVERY TIME: DAYS TO WEEKS                                    │
+└─────────────────────────────────────────────────────────────────────┘
+```
+
+## Related
+
+- [File Processor Demo](../file-processor-demo/) - Zero-trust file processing
+- [Predicate Authority Sidecar](https://github.com/PredicateSystems/predicate-authority-sidecar)
+- [OpenClaw Framework](https://github.com/OpenClawOrg/openclaw)
+
+---
+
+**This is agentic guardrails done right.**