Zero Trust · NIST SP 800-207 · OWASP least agency
Zero Trust is no longer a buzzword. It is codified guidance — NIST SP 800-207, the NSA's Zero-Trust Implementation Guides, OWASP's least agency — mandated for every US federal agency by 2027, and now being extended to autonomous AI agents. EuroOS was architected around these principles from the first line of kernel code, which lets us make a rare claim honestly: most of this framework is not something we bolt on — it is what the operating system already is.
The framework gives one test for any control — does this make the attack impossible, or just tedious? Controls whose value is friction (extra hops, rate limits, non-standard ports, SMS MFA) degrade against an adversary that can grind through tedious steps at machine speed. The controls that survive are "hardware-bound credentials, expiring tokens, cryptographic identity, and network paths that do not exist rather than paths that are merely inconvenient."
EPERM before doing anything; the tool is not even listed for that agent; the file outside its sandbox cannot be named. EuroOS is, structurally, a system of removed capabilities, not throttled ones — and it is designed for breach: a successfully-injected agent can still only ever act within the capabilities it holds, with every action audited.
How the framework's six control families map onto EuroOS / EuroAgent. native built into the OS and verified · partial foundation present, product on the roadmap · out of scope a different approach, honest.
Each agent ships as an Ed25519-signed .euroa bundle, verified before its manifest is even parsed. EuroIDM issues signed, expiring identity tokens; EuroCA is a sovereign local CA. The registry refuses to let a second publisher overwrite a trusted agent (anti-rug-pull).
Framework: cryptographic agent IDs (Foundation) → certificate-based auth (Enterprise).
EuroTPM gives measured boot, a hardware RNG and PCR extend; EuroVault's master key and the full-disk-encryption key are TPM-sourced; EuroAttest produces signed PCR quotes for remote attestation. Full PCR-sealing of keys is the documented next mile.
Framework: hardware-bound credentials, attested issuance (Advanced).
EuroGuard enforces deny-by-default at every syscall; capabilities can be dropped but never regained. EuroAgent's MCP gateway gates each tool by a required capability and lists only the tools an agent may call. EuroPol policy can only reduce the set — deny always wins.
Framework: RBAC deny-by-default (Foundation) → continuous, per-action authorization (Advanced).
Agents run as capability-isolated WASM modules in EuroOS's own interpreter; the file backend confines each agent to /agents/<name>/. The boundary is identity and capability — services accept only the callers their policy names — exactly as the framework recommends, with network segmentation as a backstop, not the boundary.
Framework: identity-based isolation (Foundation) → sandboxed execution per agent (Enterprise).
Every tool call is recorded with the agent's identity. Two complementary trails make it tamper-evident: a SHA-256 hash-chain (edit any past record and every later hash breaks) and a filesystem-enforced append-only log — clearing that flag itself requires a capability.
Framework: comprehensive logs (Foundation) → immutable, integrity-verified audit (Enterprise).
Tools are kernel-defined with fixed required capabilities, so poisoned tool metadata can't smuggle access. .eupkg packages are signed and verified; EuroRepro gives reproducible-build attestation with multi-builder consensus. Credentials live in a capability-gated vault, never cached in agent memory across sessions.
Framework: tool poisoning / rug-pull, confused-deputy, memory-based privilege retention.
Status labels reflect the EuroOS source tree (alpha, build 2026.06.08); each maps to a real subsystem in the technical reference. Framework sources: Anthropic, "Zero Trust for AI Agents"; NIST SP 800-207 Zero Trust Architecture; NSA Zero-Trust Implementation Guides; OWASP "least agency". EuroOS references the framework's principles for evaluation; it is not affiliated with or endorsed by these bodies.