Skip to content
プロダクト

Remediating Inside the Enclave: Governed Fixing With Signed Edge Runner Capsules

How regulated and public-sector teams get autonomous remediation inside customer-controlled boundaries: signed Edge Runner capsules, governed fixing, audit-ready evidence, no data egress.

Zof Reliability Team · エンジニアリング & プロダクト

2025年9月2日 · 読了時間 7 分 · 2025年9月2日 更新

Share
01

Why remediation is the hardest part of the loop to govern

Zof's operating model is a closed loop: understand, test, reproduce, remediate, verify. The first three steps observe. Remediation acts. That asymmetry is the whole problem. An understanding step that drifts produces a bad map; a remediation step that drifts produces a bad change in production-adjacent infrastructure. The blast radius is not symmetric, so the governance cannot be either.

This matters more now because the change volume has changed character. Roughly 41% of codebases are now AI-generated, and industry research suggests around 45% of AI coding tasks introduce a critical flaw or security issue. You are not remediating a slow trickle of human-authored defects anymore. You are remediating a high-volume stream of machine-generated change, much of it carrying risk, against the roughly $2.41 trillion annual backdrop of poor software quality. The temptation is to let an agent close the loop on its own to keep up. For an accredited system, that is reckless. Unsupervised autonomous fixing is exactly the thing an authorizing official cannot defend.

The principle that resolves this is not "slow down." It is agents propose, humans authorize. Remediation Fleets plan and assemble the fix; a named human authorizes it; the boundary stays intact throughout. Governance here is not paperwork bolted onto autonomy. It *is* the engineering.

02

The remediation capsule: a fix you can review before it runs

The unit that makes governed remediation auditable is the signed capsule. A remediation capsule is an immutable, versioned, approved package that contains a *specific proposed change* and the exact validation that proves it. It is not an agent improvising a patch at runtime and discarding the reasoning afterward.

That distinction is the difference between a fix that survives an audit and one that does not. Most "AI fixed it" stories fail review for a structural reason: the thing that ran was synthesized on the fly, so there is no stable artifact to inspect, no signature to verify, and no way to prove the change did only what was approved. A capsule inverts the order of operations. The fix is assembled, the validation is bound to it, and the whole package is reviewed and signed *before* it is ever admitted into the boundary.

For a compliance officer, the capsule answers the three questions an assessor actually asks:

  • What changed? The capsule manifest is the scope. Nothing outside the manifest executes.
  • Who authorized it? The cryptographic signature is the attestation, tied to an identity and a role.
  • Can you prove it did nothing else? The version is the chain of custody, and the bound validation is the evidence.

A capsule turns a remediation from an event you have to trust into an artifact you can defend.

03

How the fix crosses the boundary without weakening it

A signed remediation still has to enter the enclave, and the moment it does is the moment most architectures quietly open a hole. The design that avoids this splits the work across planes with deliberately different trust requirements, the same split secure-enclave deployment uses for validation.

Planning and generation, the model-heavy work, happen outside on your terms: mapping the change in the System Graph, assembling the candidate fix, binding its validation. Governance, signing, and approval sit in the control plane. Execution happens entirely inside the boundary on a customer-deployed Edge Runner.

The architectural point is that the plane needing the most powerful models touches the least sensitive data, and the plane touching production-adjacent systems runs no models and makes no outbound calls at runtime. The enclave gateway verifies the capsule's signature, enforces your policy, and triggers execution without opening inbound access. There is no listening port for an external orchestrator to reach into. The boundary stays one-directional: signed work goes in through a verifying gateway, and nothing reaches back out to fetch a model or phone home.

The Edge Runner applies the approved change locally, runs the bound validation locally, and captures evidence locally. Source, fixtures, and runtime telemetry never leave the segment to make the fix happen.

04

Evidence stays yours, including local-only

Remediation in a regulated environment lives or dies on evidence, and the default assumption in most tooling, full log exfiltration to a central SaaS, is precisely what an accredited program cannot accept. Zof inverts the default: you decide how evidence leaves the execution plane, if it leaves at all.

  • Local-only for the most sensitive systems, where the complete remediation record, before-state, change, validation, and verified rollback, never leaves the segment.
  • Sanitized egress with field masking, so a summary can flow to your GRC tooling without raw payloads.
  • Metadata-only routing for dashboards and reliability reporting, correlation IDs without raw export.
  • Per-environment retention aligned to your accreditation, with no mandatory full-log exfiltration.

The runner produces a complete, redactable evidence bundle inside the boundary. What you publish outward is a policy decision you make, not a vendor default you inherit. That is the line between evidence that satisfies an assessor and telemetry that creates a brand-new data-residency finding.

05

Keep the human queue focused on real risk

Governed remediation only scales if the human authorization step does not become the bottleneck. If every proposed fix lands in front of an authorizing official with equal weight, approvers drown and start rubber-stamping, and rubber-stamped governance is governance theater.

This is where change-awareness earns its place. Because the System Graph models what actually depends on what, remediation can be prioritized by genuine reachability and exploitability rather than raw finding count. Reachability-based prioritization can mean 70 to 90% less exploitable exposure to act on. Applied to the approval queue, an unreachable flaw does not consume an authorizing signature, while a reachable one on a critical path routes straight to a named approver with the evidence already attached. Governance is where those tier rules, separation-of-duties requirements, and the audit trail live as first-class configuration, not as a process running in someone's inbox.

Two failure modes to design against specifically. First, autonomy creep: the gradual expansion of what an agent may fix without a signature. Defend it by deriving authority from policy, never letting a fleet widen its own scope. Second, evidence gaps on low-risk fixes: the changes nobody watches are where audit gaps hide, so an auto-validated remediation needs the *same* evidence bundle as a heavily reviewed one. The absence of a human in a given path raises the bar on the trail; it does not lower it.

06

What to do Monday morning

A conservative path that respects the boundary and builds the audit posture before it grants any authority:

  • Validate before you remediate. Run the closed loop in observe-only mode inside one accredited workflow first. Prove the evidence trail satisfies your assessors with zero egress before any fix is authorized.
  • Pilot remediation in local-only mode. First governed fixes should leave no evidence at all. Earn egress later, deliberately.
  • Wire authorization to existing change control. Reuse your separation-of-duties and named-approver chains rather than inventing a parallel process an auditor has never seen.
  • Tier by reachability. Send only genuinely exploitable, reachable findings to a human signature; let the rest stay in the queue with full evidence, unauthorized.
07

The bottom line

続きを読む

01Zof Console

姿勢、操作、次に注意が必要なことを 1 つの面で確認できます。

エンジニアリング、QA、SREの各チームが毎日開く認証済みのホーム。品質の姿勢、進行中の実行、モジュールごとのカバレッジ、そして次に注目すべきことが分かります。

運用上の KPI

実行数、カバレッジ、リスク

出荷先のあらゆる環境に対応します。

ワークスパイン

仕様・テスト・スケジュール

仕様から計画された回帰まで。

ガードレール

RBAC・SSO・監査

指定された人間に起因するすべての行為。

LIVE/console
Zof AI ホーム コマンド センターには、94% パスでの 12 件の実行、3 つの未解決の重大な問題、84% のカバレッジ、4 つのモジュール トレーサビリティ バー、仕様パイプライン、今後のスケジュール、アクティブ実行サイドバー付きの推奨される次のアクションが表示されます。
ホーム ビュー · チェックアウト サービス · ステージング · 製品からライブでキャプチャ。
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Remediating Inside the Enclave: Governed Fixing With Signed Edge Runne