HawkinsOperationsDetection Engineering SOC

Hoxline by HawkinsOperations

HoxlineRun the ProofOps loop.

Executable claim control for AI-assisted security work.

Capability Visual Data Pack v1 shows what Hoxline can verify today: HO-DET-001 loop execution, reviewer-readable outputs, output contract checks, bounded claim decisions, and still-gated runtime and signal evidence.

Capability visual data pack v1HO-DET-001Controlled test validatedRuntime gatedSignal missing evidenceHuman review required
Open HoxlineInspect proof/artifacts
HO-DET-001Controlled test validated

Pass

Controlled Validation

Controlled validation is limited to controlled positive and negative process-creation fixtures.

Hoxline Engine Room

Run the ProofOps loop against real detection work.

The current public example is HO-DET-001: Hoxline packages the Gauntlet loop, emits reviewer outputs, preserves controlled-validation scope, and hands claim wording to source-owned authority surfaces.

Gauntlet v0Controlled test validatedRuntime blockedSignal missing evidenceHuman review required
Snapshot under 14-day freshness windowWebsite rendering reads this snapshot; proof, validation, platform, detections, Hoxline, and org routing records own their respective facts.

Clone-runnable path

Run the Hoxline review path

Generated status prevents stale website numbers from becoming accidental authority. The source routes and commands make the review path inspectable instead of presentation-only.

InspectDownloadCloneRun
  1. 01HO-DET-001
  2. 02Gauntlet
  3. 03Artifacts
  4. 04Verifier
  5. 05Claim gate
Open generated public status JSONWebsite-rendered snapshot data and source-owner routes.Open Hoxline repoProduct/control route for the HO-DET-001 Gauntlet path.Open proof recordsProof authority route for records, proof packs, and ceilings.Open validation registryControlled validation status and fixture scope.
Download, clone, and run commandsReviewer-runnable
Clonegit clone https://github.com/HawkinsOperations/hoxline.git

Working directory after clone: hoxline repo root

Hoxline testspython -B -m pytest -q tests

Repo: HawkinsOperations/hoxline. Working directory: hoxline repo root.

Hoxline Gauntlet output verifierpython -B -m hoxline gauntlet verify --input examples/gauntlet/ho-det-001-full-loop-run-v0.json --schema schemas/gauntlet-full-loop-run-v0.schema.json

Repo: HawkinsOperations/hoxline. Working directory: hoxline repo root.

Website site contractnpm run check:site

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

Website static buildnpm run build

Repo: HawkinsOperations/hawkinsoperations-website. Working directory: hawkinsoperations-website repo root.

These commands are review paths in their owning repositories. Website rendering displays the route; it does not convert command output into proof authority.

Detection-to-ProofOps route

What enters the loop: source behavior, attack context, validation state.

Hoxline is strongest when the incoming security work already carries source, ATT&CK orientation, telemetry assumptions, and validation boundaries into Claim Authority.

01Detection artifact
02ATT&CK / Kill Chain context
03Evidence graph
04Telemetry contract
05Controlled validation
06Gauntlet output
07Claim authority
08Safe wording / blocked stronger claim
Incoming detection context

Source truth: detection source packages, ATT&CK orientation, event-field contracts

ATT&CK context: reviewer orientation; not live coverage proof

Controlled validation: 49 controlled validation fires / 106 validation cases

Proof ceiling: proof records and claim ceilings where present

Still gated inside Hoxline

Runtime Candidate Ledger: BLOCKED

Signal Observation: MISSING_EVIDENCE

availableCanonical ProofOps loop

Hoxline can run the canonical ProofOps loop for HO-DET-001.

availableReviewer-readable JSON

Hoxline can emit reviewer-readable JSON.

availableReviewer-readable Markdown

Hoxline can emit reviewer-readable Markdown.

availableOutput contract verification

Hoxline can verify the Gauntlet full-loop output contract.

controlledProof ceiling preservation

Hoxline can preserve the CONTROLLED_TEST_VALIDATED proof ceiling.

availableSafe claim mapping

Hoxline can map artifact state to allowed claim wording.

availableBlocked claim mapping

Hoxline can map blocked claim families to safer wording and missing evidence.

gatedRuntime and signal gating

Hoxline can keep runtime and signal gated when evidence is missing.

CAPABILITY_VISUAL_DATA_PACK_V1Hoxline PR #13ho-det-001-capability-visual-data-pack-v1stage_status_distribution 5
11Canonical loop stagesmeasured in PR #13 pack
7Authority surfacesmeasured in PR #13 pack
2Reviewer outputsJSON and Markdown
53Current pytest countpack validation run

Controlled capability before gated states

What Hoxline can verify today

Capability Visual Data Pack v1 makes the product feel like an engine: it records the canonical HO-DET-001 loop, reviewer outputs, output contract checks, bounded metrics, visual modules, and remaining gates without promoting runtime or signal claims.

What Hoxline can verify today

capability_maturity_chart

Positive capability is shown first; the PR #13 maturity chart keeps gated areas visible without taking over the story.

availableCanonical ProofOps loop

Hoxline can run the canonical ProofOps loop for HO-DET-001.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableReviewer-readable JSON

Hoxline can emit reviewer-readable JSON.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableReviewer-readable Markdown

Hoxline can emit reviewer-readable Markdown.

examples/gauntlet/ho-det-001-full-loop-run-v0.md
availableOutput contract verification

Hoxline can verify the Gauntlet full-loop output contract.

schemas/gauntlet-full-loop-run-v0.schema.json
controlledProof ceiling preservation

Hoxline can preserve the CONTROLLED_TEST_VALIDATED proof ceiling.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
availableSafe claim mapping

Hoxline can map artifact state to allowed claim wording.

examples/gauntlet/ho-det-001-proofcard-v0.json
availableBlocked claim mapping

Hoxline can map blocked claim families to safer wording and missing evidence.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
gatedRuntime and signal gating

Hoxline can keep runtime and signal gated when evidence is missing.

examples/gauntlet/ho-det-001-full-loop-run-v0.json
controlledAuthority separation

Hoxline can represent authority separation across the seven-repo system.

README.md
availableSingle-artifact story

Hoxline can show one artifact, one loop, one safe claim, and blocked stronger claims.

docs/gauntlet/HO_DET_001_GAUNTLET_RUN.md
Gauntlet full-loop runner
operational v0
Gauntlet output contract
contracted v0
Controlled validation packaging
validated in controlled scope
Claim Authority packaging
working boundary control
Runtime evidence
gated
Signal evidence
gated
Public-safe release
not public-safe
Business, legal, and market claims
not asserted

stage_status_distribution

Visual stage status data

Capability Visual Data Pack v1 exposes the loop as status data, not as a flat warning list.

PASS
7
BLOCKED
1
MISSING_EVIDENCE
1
HUMAN_REVIEW_REQUIRED
1
REFERENCE_ONLY
1
7Controlled positivesmeasured
7Controlled negativesmeasured
7Matched positivesmeasured
0Missed positivesmeasured
0False-positive negativesmeasured
23Blocked familiesclaim authority metrics
17Missing evidence groupsclaim decision chart
8Output contract teststest_hoxline_gauntlet.py
LOCAL_CHECKOUT_CLI
$env:PYTHONPATH='src'; python -B -m hoxline gauntlet run --artifact HO-DET-001 --format json
$env:PYTHONPATH='src'; python -B -m hoxline gauntlet run --artifact HO-DET-001 --format markdown
JSON outputMarkdown outputcontract tests 8runtime gatedsignal missing evidence

generated_outputs_chart

Output artifact wall

Reviewer-readable outputs are surfaced as artifacts. They are routes to inspect, not proof promotion.

json

Full-loop JSON

Target reader: reviewer or website data loader.

Open artifact ->
JSON: 1Markdown: 1Schema: 2

visual modules

PR #13 module map

The website renders the exact visual modules defined by the Capability Visual Data Pack v1.

mission_control_heroMission Control Hero

Show Hoxline as a working ProofOps control plane for one artifact.

proofops_loop_orbitProofOps Loop Orbit

Render the 11-stage loop with status coloring.

gauntlet_execution_consoleGauntlet Execution Console

Show generated outputs and verifier command.

capability_maturity_visualCapability Maturity Visual

Separate built capabilities from gated capabilities.

authority_constellationAuthority Constellation

Show seven-repo authority separation.

evidence_pipeline_timelineEvidence Pipeline Timeline

Trace artifact data from demo packaging through Gauntlet output.

claim_decision_matrixClaim Decision Matrix

Show one allowed claim and collapsed blocked families.

generated_outputs_wallGenerated Outputs Wall

Show the concrete artifacts available to reviewers and website loaders.

reviewer_path_timelineReviewer Path Timeline

Show how a reviewer moves from source references to safe claim.

still_gated_panelStill Gated Panel

Summarize remaining gates without making them the primary story.

complexity_stats_railComplexity Stats Rail

Show bounded counts that explain the amount of working structure.

Hoxline by HawkinsOperations

HoxlineRun the ProofOps loop.

Executable claim control for AI-assisted security work.

ProofOps control for the AI security era. AI is not the authority. Evidence is. Hoxline controls what AI-assisted security work is allowed to become while Capability Visual Data Pack v1 keeps runtime, signal, public-safe, production, customer, and approval claims blocked unless evidence exists.

RunnerGAUNTLET_V0
ArtifactHO-DET-001
CeilingCONTROLLED_TEST_VALIDATED
Runtimegated
Signalmissing evidence
Human reviewrequired

Interactive visual intelligence

Gauntlet engine

The same controlled-loop data is rendered as a stage orbit, authority constellation, evidence path timeline, and claim decision matrix. These visuals make complexity inspectable without turning the website into proof.

Gauntlet engine

LoopStatusOrbit

Tap a node to inspect status, reviewer note, authority refs, and missing evidence.

HO-DET-001Controlled test validated

Pass

Controlled Validation

Controlled validation is limited to controlled positive and negative process-creation fixtures.

Authority refs
hawkinsoperations-validation
Missing evidence
None listed for this stage

authority_surface_chart

Seven surfaces, separated

Hoxline is the control route. It does not replace proof, source, validation, platform, website, or org routing boundaries.

control

hoxline

ProofOps control plane

Owns claim boundary packaging, Gauntlet runner, output contract, and website-ready data; does not own proof authority.

build_timeline

Reviewer path from source to gated claims

Tap a node to inspect what exists today and what remains gated.

manifest

HO-DET-001 controlled demo packaging

Controlled demo artifacts and reviewer entry points were packaged.

claim_decision_chart

Allowed, blocked, and required evidence

Toggle the decision families. Blocked claims are visible as boundaries, not as product claims.

allowed

Allowed controlled claim

One allowed controlled-validation claim is present in the visual data pack.

HO-DET-001 has controlled validation evidence from controlled positive and negative process-creation fixtures and remains under review.

AI speed meets evidence discipline

The Claim Problem

AI can draft convincing security claims faster than an organization can safely prove them. Hoxline keeps generated output, evidence, validation, telemetry, proof ceilings, and human review from collapsing into one public sentence.

Problem

Fast output

AI-assisted work can create detection ideas, summaries, and reviewer notes quickly.

Problem

Slow authority

Evidence, validation, telemetry, proof records, and review gates must stay explicit.

Problem

Claim pressure

The dangerous step is turning useful output into wording that sounds stronger than the evidence.

Authority boundary

Product thesis: AI is not the authority. Evidence is.

Hoxline is the control layer for claim movement. It does not make the website a proof source, does not promote public_safe, and does not convert controlled validation into runtime or signal proof.

AI role
labor and drafting
Evidence role
authority input
Hoxline role
claim-control layer
Website role
rendering only
Current ceiling
CONTROLLED_TEST_VALIDATED
Promotion
human_review_required true

From generated output to claim-ready evidence

What Hoxline Controls

Hoxline organizes the movement from AI-assisted work into reviewer-readable evidence boundaries. Each control keeps one authority surface from being confused with another.

Intake

AI output intake

Generated security work enters as a named artifact with scope, source, and reviewer context attached.

Graph

Evidence graphing

Artifact, validation, runtime candidate, signal, review, and claim nodes stay separated for inspection.

State

Validation state

Controlled fixture status is shown as evidence state, not as runtime or signal truth.

Ceiling

Proof ceiling

The current ceiling travels with the artifact so public language cannot climb past evidence.

Decision

Claim decision

Claim Authority separates allowed controlled-validation wording from blocked stronger families.

Review

Reviewer handoff

The route points reviewers to proof, source, validation, and platform authority before trust is granted.

Separate the layers

The Hoxline Answer

The product value is not a bigger claim. It is a disciplined route that keeps generated output, evidence, validation, proof records, public rendering, and claim authority in separate compartments.

Layer

Generated output

Useful draft material, never authority.

Layer

Evidence

References attached to source-controlled artifacts.

Layer

Validation

Controlled behavior checks with explicit fixture scope.

Layer

Proof records

Owned by the proof authority surface, not this page.

Layer

Public rendering

Readable website surface only.

Layer

Claim authority

Hoxline capability for allowed and blocked wording.

Interactive control diagram

ProofOps Loop

Tap a step to inspect the control. The active step shows what happens, what control applies, and what remains blocked.

Interactive ProofOps loop

AI helps. Evidence gates. Humans promote.

Tap a step to inspect the control.

5 of 11: Controlled Validation

Active gate

Controlled Validation

What happens
Controlled positive and negative fixtures define the current evidence state.
Control
The ceiling is CONTROLLED_TEST_VALIDATED.
Still blocked
Controlled validation proves controlled validation only.

One artifact, one loop, one bounded claim

HO-DET-001 Controlled Demo Spotlight

HO-DET-001 is the flagship example for the current route. It demonstrates controlled validation boundaries without promoting runtime, signal, public-safe, production, customer, or final authorization claims.

Artifact

HO-DET-001: controlled validation bridge

The demo package shows controlled positive and negative fixture validation evidence and keeps the current ceiling visible. It does not authorize stronger public wording.

public_safe falsehuman review requiredruntime not promotedsignal not promoted

State

CONTROLLED_TEST_VALIDATED

Controlled validation evidence exists for the bounded package.

ProofCard

Rendering route

The website can display the ProofCard context but does not become proof authority.

Allowed wording

Safe claim

HO-DET-001 has controlled validation evidence from controlled positive and negative process-creation fixtures and remains under review.

This wording stays below the current evidence ceiling.

Blocked claim

Runtime / signal / public-safe

Runtime, signal, public-safe, production, customer, and final authorization wording remain blocked.
Open route

PR #7 bridge

Merged HO-DET-001 ProofCard v0 / Gauntlet controlled-validation bridge.

Inspect pathOpen route

Release packet

Merged reviewer packet summarizing bridge, strategy docs, and website route.

Inspect pathOpen route

HO-DET-001 route

Open the bounded reviewer case-file rendering route.

Inspect path

Claim Authority

Claim Boundary Matrix

Hoxline makes the decision surface visible: what the current evidence allows, what remains blocked, and what needs authority review.

Allowed

Controlled validation evidence exists

HO-DET-001 has controlled positive and negative fixture validation evidence under the current ceiling.

Blocked

Runtime or signal promotion

Runtime-active, runtime proven, signal observed, and public signal proof wording remain blocked.

Blocked

Public release or deployment wording

public_safe remains false; production, customer, deployment, and SOCaaS status are not claimed.

Required

Human and authority review

human_review_required remains true and authority references must be inspected before stronger claims.
Blockedruntime-active status
Blockedruntime proven status
Blockedsignal observed status
Blockedpublic-safe proof
Blockedproduction-ready status
BlockedSOCaaS-ready status
BlockedSOCaaS deployed status
Blockedcustomer deployed status
BlockedAI approved disposition
Blockedanalyst approved disposition
Blockedfinal human authorization
Blockedcase closed status

Seven surfaces, separate authority

Authority Architecture

The architecture is intentionally split. Hoxline controls product flow and claim decisions, while proof, source, validation, platform, rendering, and organization routing keep their own authority boundaries.

product/control plane

hoxline

Routes AI-assisted work into evidence-bound claim decisions.

source truth

hawkinsoperations-detections

Owns detection packages, rule context, and source metadata.

behavior truth

hawkinsoperations-validation

Owns controlled fixture behavior status.

contracts/ledgers/promotion authority

hawkinsoperations-platform

Owns schemas, ledgers, and promotion mechanics.

proof authority

hawkinsoperations-proof

Owns proof records and evidence ceilings.

rendering only

hawkinsoperations-website

Displays public reviewer routes without creating proof.

org/reviewer routing

HawkinsOperations.github

Connects org-level review and workflow routing.

Where to begin

Reviewer Start Path

A reviewer should not start by trusting the page. Start with the controlled package, then inspect ceilings and authority references.

Step 1

Inspect the controlled demo package

Start with the HO-DET-001 bridge, release packet, and existing bounded case-file route.

Step 2

Inspect the proof ceiling and blocked claims

Confirm the ceiling is CONTROLLED_TEST_VALIDATED and stronger claim families remain blocked.

Step 3

Inspect authority references

Check proof, detections, validation, and platform surfaces before trusting public wording.

Reviewer lens

What leadership can trust

Hoxline makes the evidence ceiling and blocked claim families visible before AI-assisted security work becomes public wording.

  • The product controls claim movement, not proof truth.
  • The safe claim stays below CONTROLLED_TEST_VALIDATED.
  • public_safe remains false and human review remains required.

Authority boundary

Hoxline Public Reviewer Packet v0

This route renders the packet as reviewer orientation only. Rendering is not proof, public_safe remains false, private runtime references are not public proof, human review remains required, no ledger append happened, no public proof promotion happened, and no schedule was enabled.

Packet status
NOT_PUBLIC_SAFE
Public ceiling
CONTROLLED_TEST_VALIDATED
Private references
hash references only
Website
rendering only
Human review
required
Promotion
not promoted

Reviewer packet

Current-state panel

Hoxline Public Reviewer Packet v0 keeps public_safe false, human review required, website rendering below proof, and green CI below approval.

Reviewer packet

Allowed claim

HO-DET-001 has controlled validation evidence and remains under governed review.

Reviewer packet

Blocked stronger claims

The packet does not claim runtime proof, signal observation, production readiness, customer deployment, SOCaaS deployment, AI approval, analyst approval, case closure, or public proof promotion.

Reviewer packet

HO-DET-011 / HO-DET-012 boundary

Both remain waiting on real operator evidence; marker hits without governed execution IDs do not establish operator receipt evidence.

Reviewer packet

Private reference boundary

Private runtime reference digests are hash references only. They are not public proof and do not raise the public proof ceiling.

Reviewer packet

No promotion side effects

No ledger append, no public proof promotion, and no schedule enablement are created by this page.

Open route

PR #7 bridge

Merged HO-DET-001 ProofCard v0 / Gauntlet controlled-validation bridge.

Inspect pathOpen route

Release packet

Merged reviewer packet summarizing the bridge, strategy docs, and website route.

Inspect pathOpen route

PR #10 draft

Draft controlled demo packaging work. Demo packaging only; not merged proof.

Inspect pathOpen route

Reviewer packet doc

Read the public reviewer packet boundary and current-state explanation.

Inspect pathOpen route

Reviewer packet JSON

Inspect the sanitized current-state packet data.

Inspect pathOpen route

Reviewer packet schema

Inspect the fail-closed schema constants for the packet.

Inspect pathOpen route

Validation registry

Inspect controlled fixture status and blocked runtime or signal states.

Inspect path

Still gated

What stronger wording still needs

These states remain required before stronger public claims can move.

Runtime Candidate Ledger: BLOCKEDSignal Observation: MISSING_EVIDENCEHuman Review Gate: HUMAN_REVIEW_REQUIREDPublic-safe release: NOT_PUBLIC_SAFEBusiness and legal claims: MISSING_EVIDENCE

Website rendering cannot supply these records. Hoxline visualizes the boundary and keeps public_safe false with human_review_required true.

Authority boundary

Trust Boundary

This is the compact operating boundary for the page. Hoxline helps control claims, but it does not create proof authority or promote stronger states by rendering them.

Website rendering
not proof
Hoxline
not proof authority
runtime / signal
blocked
public_safe
false
Human review
required
Controlled validation
current ceiling only

Evidence required before stronger claims

Next Gate

Stronger wording would require separate evidence and authority updates. Website rendering cannot supply those gates.

Required next evidence

Separate runtime evidence from the appropriate authority path.

Required next evidence

Preserved signal evidence tied to the artifact and telemetry contract.

Required next evidence

Updated promotion ledger state in the platform authority surface.

Required next evidence

Proof authority update that raises the ceiling without relying on website rendering.

Required next evidence

Explicit human review decision before public wording changes.