file-guard: per-process access control for credential files

Env-injection vaults cover programs you can launch under a wrapper, but they do not cover the long tail of tools that insist on writing their own plaintext credentials to disk and reading them back themselves. That is the real attack surface for supply-chain secret theft: malicious code in a dependency runs with your uid and quietly reads ~/.aws/credentials, the gcloud config, SSH keys, or a CLI token store, then exfiltrates them. Permissions are no defense, because the attacker is you as far as the kernel is concerned.

file-guard mounts a read-write FUSE file at the credential path. On every open() it resolves the calling process from the FUSE request, identifies the binary via /proc/<pid>/exe, and evaluates a policy in the direction of access: real contents only to binaries you have authorized, EACCES or an interactive prompt otherwise. Identity is pinned hard: an allow-always rule pins the binary sha256, so a package upgrade or a swapped-in binary re-prompts instead of silently inheriting the grant; interpreter rules additionally pin the entry script path and its content hash, so python running gcloud does not bless every other script. Session grants are bound to pid plus process start_time, so a recycled PID cannot inherit a one-time allow. The root daemon has no display, so prompts go to a session agent over a systemd socket-activated unix socket with a peer-cred uid check. Authorized writes are buffered per handle and persisted on close, so tools need no reconfiguration. It targets the real supply-chain surface: malicious dependency code running as you, quietly reading credential files off disk.