'use client' import { Box, Lock, ShieldCheck, Eye, Wifi, Layers as LayersIcon, Shield, AppWindow, Terminal } from 'lucide-react' import { PlatformToggle, usePlatform } from './platform-toggle' const linuxLayers = [ { icon: Box, name: 'Bubblewrap', tag: 'Namespaces', desc: 'Process, network, and mount isolation via Linux namespaces. The foundational containment layer that creates a fully isolated process environment.', detail: 'Linux 3.8+', }, { icon: Lock, name: 'Landlock', tag: 'Filesystem', desc: 'Kernel-level filesystem access control. Enforces granular read/write permissions below userspace. Processes cannot escalate their own access.', detail: 'Linux 5.13+', }, { icon: ShieldCheck, name: 'Seccomp BPF', tag: 'Syscalls', desc: 'Blocks 27+ dangerous system calls at the kernel boundary. ptrace, mount, kexec, module loading, and BPF manipulation are all denied.', detail: 'Linux 3.5+', }, { icon: Eye, name: 'eBPF Monitoring', tag: 'Visibility', desc: 'Traces syscall exits in real time across all layers. Every permission denial is captured instantly with full context: process, path, and reason.', detail: 'Linux 4.15+', }, { icon: Wifi, name: 'TUN + SOCKS5 Proxy', tag: 'Network', desc: 'Transparent network capture at the kernel level via TUN device. All TCP/UDP traffic is routed through the proxy, even binaries that ignore env vars.', detail: 'Any kernel', }, ] const macosLayers = [ { icon: Shield, name: 'Seatbelt Sandbox', tag: 'Core', desc: 'macOS kernel sandbox with dynamically generated profiles. Default-deny policy with explicit allowlists for filesystem, network, IPC, and process operations.', detail: 'macOS native', }, { icon: Lock, name: 'Filesystem Policy', tag: 'Filesystem', desc: 'Fine-grained read/write rules using literal paths, subpath matching, and regex patterns. Sensitive files like SSH keys and .env are always protected.', detail: 'Seatbelt rules', }, { icon: AppWindow, name: 'Mach IPC Control', tag: 'IPC', desc: 'Allowlist of safe Mach IPC services. Prevents sandboxed processes from communicating with privileged system services outside the policy boundary.', detail: 'Service allowlist', }, { icon: Terminal, name: 'Log Stream Monitor', tag: 'Visibility', desc: 'Session-tagged violation monitoring via macOS log stream. Every denied operation is captured in real time with the process and path that triggered it.', detail: 'macOS native', }, { icon: Wifi, name: 'Proxy-Based Network', tag: 'Network', desc: 'Outbound traffic routed through proxy via environment variables. Combined with Seatbelt network rules to block raw socket access and direct connections.', detail: 'Env var proxy', }, ] export function Layers() { const [platform] = usePlatform() const layers = platform === 'linux' ? linuxLayers : macosLayers return (

Defense in depth

{platform === 'linux' ? 'Five orthogonal security layers.' : 'Kernel-enforced on every call.'}

{platform === 'linux' ? 'Each layer operates independently. A bug in one is caught by another. No single point of failure. Every constraint is enforced at the kernel level.' : 'macOS Seatbelt enforces deny-by-default policies before any syscall completes. The sandbox profile is generated per-session with rules tailored to your project.'}

{layers.map((layer) => (

{layer.name}

{layer.tag}

{layer.desc}

{layer.detail}

))}

{platform === 'linux' ? ( <> Graceful degradation.{' '} Greywall detects kernel features at runtime and activates every layer your system supports. Run{' '} greywall --linux-features{' '} to see what's available. ) : ( <> No dependencies.{' '} macOS sandboxing uses only built-in OS capabilities. No packages to install. Run{' '} greywall check{' '} to verify your setup. )}

) }