Docs | SpectraStrike | Nexus | Nyxera Labs
E2E Execution Audit Report
Scope
Asymmetric federation hardening verification for SpectraStrike <-> VectorVue with local persistent federation config.
Commands Used
cd SpectraStrike
make local-federation-up
PYTHONPATH=src .venv/bin/python -m pkg.integration.host_integration_smoke --tenant-id 10000000-0000-0000-0000-000000000001 --check-vectorvue
sliver-client version
PYTHONPATH=src .venv/bin/pytest -q tests/unit/test_firecracker_microvm_runner.py
Signed cognitive verification command path:
- Sent signed execution graph metadata to
/internal/v1/cognitive/execution-graph - Queried
/internal/v1/cognitive/feedback/adjustments/query - Verified response signature and attestation hash binding in SpectraStrike client
Runtime Evidence
Primary host smoke output:
vectorvue_event_status=acceptedvectorvue_finding_status=acceptedvectorvue_status_poll_status=acceptednmap_binary_ok=Truemetasploit_binary_ok=True
Cognitive verification output:
graph_status=acceptedfeedback_status=acceptedfeedback_signature_verified=Trueattestation_hash_verified=True
Firecracker runtime evidence:
tests/unit/test_firecracker_microvm_runner.py->4 passed
Audit log artifact:
local_docs/audit/final-e2e-asymmetric-20260227-134036.log
Signature Verification Proof
- Telemetry ingress accepted only when Ed25519 signature validated at gateway.
- Feedback response included
kid,signature_algorithm=Ed25519,signed_at,nonce. - SpectraStrike verifier marked feedback envelope as
verified=True.
Attestation Proof
attestation_measurement_hashpresent in signed cognitive graph payload.- Returned feedback adjustments preserved attestation hash.
- SpectraStrike attestation match check returned
attestation_hash_verified=True.
Failure Cases Tested
- Sliver wrapper dry-run failed with CLI flag mismatch (
--target) and was rejected as execution path failure. - Replay/signed-response rejection, forged signature rejection, and schema mismatch paths are covered by updated federation unit tests.
Final Conclusion
Federation path is operating under asymmetric cryptographic controls with hard-fail verification, attestation propagation, and accepted end-to-end telemetry/finding flow. Remaining operational gap is Sliver wrapper CLI compatibility, which is isolated from the federation trust controls.
Wrapper Federation Audit Addendum (2026-02-28)
Commands Used
cd SpectraStrike
PYTHONPATH=src .venv/bin/python -m pkg.integration.host_integration_smoke --tenant-id 10000000-0000-0000-0000-000000000001 --check-vectorvue
SPECTRASTRIKE_WRAPPER_SIGNING_KEY_PATH=/home/xoce/Workspace/VectorVue/deploy/certs/spectrastrike_ed25519.key \
PYTHONPATH=src:/usr/lib/python3.14/site-packages \
.venv/bin/python -m pkg.integration.host_integration_smoke \
--tenant-id 10000000-0000-0000-0000-000000000001 \
--check-impacket-psexec
Wrapper-by-Wrapper Results (Implemented Wrappers)
| Wrapper | E2E Status | Evidence |
|---|---|---|
| Nmap | Pass (with runtime warning) | nmap_binary_ok=True, nmap_scan_ok=True, recoverable warning Socket creation in sendOK: Operation not permitted (1) handled |
| Metasploit | Pass | metasploit_binary_ok=True |
| Impacket psexec.py | Pass (signed contract path) | impacket_psexec_binary_ok=True, impacket_psexec_command_ok=True |
| Sliver | Blocked (environment) | sliver-client version exits code 2 due log path permission at /home/xoce/.sliver-client/sliver-client.log |
| Mythic | Blocked (dependency missing) | mythic-cli not found on host PATH |
Federation Notes
- Baseline federation bridge check (
--check-vectorvue) succeeded previously in this environment with:vectorvue_event_status=acceptedvectorvue_finding_status=acceptedvectorvue_status_poll_status=accepted
- Extended multi-wrapper federation path remains environment-blocked by Sliver client host permission model and missing Mythic CLI.
Local Persistent Federation Pass (2026-02-28)
Persistent Local Config Applied
Local gitignored file:
local_federation/.env.spectrastrike.local
Set explicitly for persistent manual E2E:
SPECTRASTRIKE_WRAPPER_SIGNING_KEY_PATH=/home/xoce/Workspace/VectorVue/deploy/certs/spectrastrike_ed25519.keyVECTORVUE_USERNAME=acme_viewerVECTORVUE_PASSWORD=AcmeView3r!VECTORVUE_TENANT_ID=10000000-0000-0000-0000-000000000001VECTORVUE_FEEDBACK_VERIFY_KEYS_JSON={"default":"/home/xoce/Workspace/VectorVue/deploy/certs/vectorvue_feedback_ed25519.pub.pem"}
Commands Executed
cd SpectraStrike
make local-federation-up
PYTHONPATH=src .venv/bin/python -m pkg.integration.host_integration_smoke --tenant-id 10000000-0000-0000-0000-000000000001 --check-vectorvue
SPECTRASTRIKE_WRAPPER_SIGNING_KEY_PATH=/home/xoce/Workspace/VectorVue/deploy/certs/spectrastrike_ed25519.key \
PYTHONPATH=src:/usr/lib/python3.14/site-packages \
.venv/bin/python -m pkg.integration.host_integration_smoke \
--tenant-id 10000000-0000-0000-0000-000000000001 \
--check-impacket-psexec --check-sliver-command --check-vectorvue
Results
- Baseline federation smoke:
vectorvue_ok=Truevectorvue_event_status=acceptedvectorvue_finding_status=acceptedvectorvue_status_poll_status=accepted
- Extended wrapper smoke:
nmap_binary_ok=Truemetasploit_binary_ok=Trueimpacket_psexec_binary_ok=Trueimpacket_psexec_command_ok=Truesliver_binary_ok=Truesliver_command_ok=True- VectorVue statuses still
accepted, while summary flag reportedvectorvue_ok=False(indicates at least one forwarded envelope failed while accepted statuses were still returned for others).
Remaining Hard Blockers For “All Functionalities” Claim
--check-metasploit-rpcfails by default because RPC host resolves tometasploit.remote.operatorunless local RPC endpoint credentials/host are configured.--check-mythic-taskrequiresmythic-cliinstalled and configured on host.
2026 SpectraStrike by Nyxera Labs. All rights reserved.
Docs | SpectraStrike | Nexus | Nyxera Labs