Hoxline by HawkinsOperations

Hoxline is ProofOps control for the AI security era.

Hoxline by HawkinsOperations is the product name for the current product/front-door repo.

Current repo: HawkinsOperations/hoxline. Product name: Hoxline by HawkinsOperations.

AevumGuard was a prior working name. Hoxline is the current product name.

Hoxline governs how AI-assisted security work becomes tested, reviewed, blocked, or safe to claim.

Doctrine: AI is not the authority. Evidence is.

30-Second Reviewer Demo

Run the deterministic local reviewer demo from a fresh clone. Requirements: Python 3.10 or newer, from the Hoxline repo root. No private services, lab hosts, Wazuh, Splunk, Cribl, VM, endpoint, or network runtime dependency is required:

python -B -m hoxline demo quickstart

If your Python environment cannot import the package directly from the clone, run python -m pip install -e ".[test]" once, then rerun the command. For an explicit repeatable output path:

python -B -m hoxline demo quickstart --output .hoxline/demo-runs/self-test --force
python -B -m hoxline demo verify --input .hoxline/demo-runs/self-test/run-summary.json

The command writes .hoxline/demo-runs/<timestamp-or-demo-id>/ with intake.json, evidence-graph.json, telemetry-contract-check.json, validation-result.json, synthetic-signal.json, enrichment.json, triage-summary.md, proofcard.json, proofcard.md, claim-authority.json, reviewer-pack.md, and run-summary.json.

What it proves: Hoxline can carry a synthetic HO-DET-010 fixture through intake, evidence graph, telemetry contract check, controlled validation, fixture-only signal simulation, enrichment, triage, ProofCard, Claim Authority, blocked claims, and reviewer packaging.

What it does not prove: live runtime behavior, public signal observation, public-safe status, production readiness, SOCaaS deployment, customer deployment, autonomous SOC operation, AI approval, analyst approval, final authorization, or case closure. The demo does not touch endpoints, users, groups, Wazuh, Splunk, Cribl, private infrastructure, ledgers, or website proof state.

See docs/demo/HOXLINE_ONE_COMMAND_REVIEWER_DEMO_V0.md for the design contract and 30-second talk track.

Reusable Review Engine

Use the reusable manifest-driven engine when you want the same deterministic ProofOps loop behind a machine-checkable artifact manifest:

python -B -m hoxline review run --artifact examples/review/ho-det-010-artifact-manifest-v1.json
python -B -m hoxline review verify --run .hoxline/runs/<run-id>/machine-state.json

The command writes .hoxline/runs/<run-id>/ with artifact-manifest.json, stage outputs, proofcard.json, proofcard.md, claim-authority.json, reviewer-pack.md, machine-state.json, and run-summary.json.

What it proves: Hoxline can take a public sanitized synthetic artifact manifest, run deterministic local review stages, write replayable machine state, generate reviewer artifacts, and block unsupported claims.

What it does not prove: live runtime behavior, public signal observation, public-safe status, production readiness, SOCaaS deployment, customer deployment, autonomous SOC operation, AI approval, analyst approval, final authorization, or case closure.

How it differs from demo quickstart: python -B -m hoxline demo quickstart is the fastest fixed walkthrough. python -B -m hoxline review run --artifact ... is the reusable artifact-manifest path for future detections.

See docs/review-engine/HOXLINE_REVIEW_ENGINE_V1.md for the Review Engine v1 contract, fail-closed gates, hostile fixtures, and 3-minute deep review path.

Multi-Artifact Review Set

Use the batch path when you want the same engine to review the governed HO-DET-009/010/011/012 artifact set from one index:

python -B -m hoxline review batch run --index examples/review/multi-artifact-review-index-v1.json
python -B -m hoxline review batch verify --run .hoxline/batch-runs/<batch-id>/batch-machine-state.json

The index contains HO-DET-009, HO-DET-010, HO-DET-011, and HO-DET-012. It writes .hoxline/batch-runs/<batch-id>/ with batch-machine-state.json, batch-summary.md, batch-reviewer-pack.md, batch-run-summary.json, and one artifact subdirectory per manifest.

Batch status is PASS when every artifact outcome matches the index expectations. MIXED is reserved for expected PASS/BLOCKED mixes. BLOCKED means the index, one artifact, or the expectation matrix failed closed.

What it proves: Hoxline can run deterministic local fixture review across a governed artifact set, emit per-artifact machine state, emit an aggregate batch state, and enforce blocked claims at both levels.

What it does not prove: live runtime behavior, public signal observation, public-safe status, production readiness, SOCaaS deployment, customer deployment, autonomous SOC operation, AI approval, analyst approval, final authorization, case closure, or website proof authority.

Product Spine

Hoxline governs the product loop:

AI-assisted security work → Artifact Intake → Evidence Graph → Telemetry Contract Check → Controlled Validation → Runtime Candidate Ledger → Signal Observation → Human Review Gate → ProofCard → Claim Authority → Safe Claim / Blocked Claim

The product spine in this repository defines the boundary, module map, doctrine, gauntlet, schemas, and examples for that loop. It does not create runtime proof, signal proof, final authorization, or external claims.

Case Growth Index

The Case Growth Index v0 aggregates the seven-repo HawkinsOperations system into numeric, reviewable case-growth JSON and Markdown:

python -B -m hoxline.cli case-growth index --repo-root C:\Raylee\Repo\HawkinsOperations --format json
python -B -m hoxline.cli case-growth index --repo-root C:\Raylee\Repo\HawkinsOperations --format markdown

From a source checkout without an editable install, set $env:PYTHONPATH="src" first. Generated examples live in examples/case-growth/. The index counts source packages, controlled validations, runtime-candidate lanes, scheduled collector lanes, proof records, ProofCards, Claim Authority blocked claims, metrics availability, public_safe cases, closed cases, and next gates.

The output also includes repo-slot accuracy and Case Growth Health v0. Repo-slot accuracy states whether each of the seven expected repo slots is present locally. Case Growth Health derives coverage percentages, blocked-claim density, strongest lane, weakest lane, top bottlenecks, and recommended next build from the numeric summary counts.

Proof ceiling: CASE_GROWTH_INDEX_CONTROLLED_REPO_AGGREGATION_ONLY. The index does not claim runtime proof, signal proof, customer deployment, production readiness, public-safe runtime proof, AI approval, analyst approval, final authorization, or case closure unless explicit repo evidence supports the specific status.

Deeper HO-DET-001 Gauntlet Path

After the 30-second fixture demo, the deeper historical reviewer path is the HO-DET-001 Gauntlet:

1. docs/gauntlet/HO_DET_001_GAUNTLET_RUN.md
2. examples/gauntlet/ho-det-001-full-loop-run-v0.json
3. examples/gauntlet/ho-det-001-full-loop-run-v0.md
4. examples/gauntlet/ho-det-001-proofcard-v0.json
5. docs/proofcards/HO-DET-001_PROOFCARD_V0.md

This deeper path shows one artifact, the full Hoxline loop, one ProofCard reference, one safe claim, blocked stronger claims, the missing evidence list, proof ceiling, runtime boundary, signal boundary, and human review boundary.

Safe claim:

HO-DET-001 has controlled validation evidence and remains under governed public-safe candidate review.

This path does not claim production ready, runtime proven, signal observed, customer deployed, SOCaaS deployed, public-safe runtime proof, AI approved, analyst approved, final authorization, or case closure.

HO-DET-001 Public-Safe Candidate Review v1

Hoxline models the merged platform/proof candidate-review state for HO-DET-001 as a bounded product loop state only:

• review_lane: PUBLIC_SAFE_CANDIDATE_REVIEW_V1
• privacy_review, stale_review, evidence_linkage_review, wording_approval: PENDING
• public_safe_status: NOT_PUBLIC_SAFE
• runtime_active: false
• signal_observed: false
• human_review_required: true
• proof_ceiling: CONTROLLED_TEST_VALIDATED
• proof_ceiling_meaning: CONTROLLED_VALIDATION_ONLY

References are carried from hawkinsoperations-platform#64 and hawkinsoperations-proof#82. They remain references only; Hoxline does not own platform ledger truth, proof authority, runtime truth, signal truth, website rendering authority, or final authorization. Hoxline does not claim public-safe approval.

Private Runtime Candidate Lane

Hoxline also supports private runtime candidate review for artifacts whose source, telemetry contract, validation, private signal, packet verification, and scheduled collector inclusion have been established internally but are not public-safe proof.

Separate from the one-command fixture demo, HO-DET-010 also has private runtime-candidate context that is not published here. The public demo uses only synthetic fixture records and must not be confused with private runtime candidate evidence. HO-DET-010 remains NOT_PUBLIC_SAFE; human review is required; AI has no disposition authority; no public proof, ledger append, website proof promotion, production, customer, SOCaaS, fleet, analyst-approved, AI-approved, or case-closure claim is made.

Claim Firewall

Claim Firewall is the first Claim Authority enforcement capability inside Hoxline.

Claim Firewall is not the product, not the front-door repo, not the platform, and not an eighth repo. It is an internal capability that helps Claim Authority block or constrain claims when evidence is missing, stale, incompatible, or insufficient.

Existing Claim Firewall behavior remains in the claimfirewall CLI, GitHub Action contract, policy loader, scanner, and tests. The product spine repositions that behavior inside Hoxline; it does not replace the implementation.

Repository Set

The HawkinsOperations system is exactly seven repositories:

Exactly seven repos. No eighth repo.

• .github
• hawkinsoperations-detections
• hawkinsoperations-validation
• hawkinsoperations-platform
• hawkinsoperations-proof
• hawkinsoperations-website
• hoxline

No eighth repository is part of this product spine. Hoxline modules are internal product modules, not separate repositories.

Current Contents

• PRODUCT_BOUNDARY.md defines what Hoxline owns and does not own.
• docs/gauntlet/HO_DET_001_GAUNTLET_RUN.md is the default HO-DET-001 reviewer/demo path.
• docs/reviewer/HOXLINE_PUBLIC_REVIEWER_PACKET_V0.md explains the public reviewer packet and its boundaries.
• docs/product/HOXLINE_BLUEPRINT.md defines the Hoxline product-spine blueprint.
• docs/product/MODULE_MAP.md maps every loop stage to an internal module responsibility.
• docs/product/SEVEN_REPO_SYSTEM_MAP.md preserves the seven-repo system boundary.
• docs/product/PROOFOPS_DOCTRINE.md states the evidence-first doctrine.
• docs/gauntlet/HOXLINE_GAUNTLET_V0.md remains a non-default sample path.
• schemas/ contains v0 JSON shapes for promotion state and evidence graph records.
• examples/gauntlet/ contains sample JSON records with runtime observation, signal observation, and public safety status unset.
• examples/reviewer/hoxline-public-reviewer-packet-v0.json contains the sanitized reviewer current-state packet.

Proof ceiling: PRODUCT_SPINE_ONLY.