<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>100eyes.watch — ARGUS log</title><description>The reverse-chronological ARGUS build log: what changed, and why.</description><link>https://100eyes.watch/</link><item><title>Reading mail without touching it</title><link>https://100eyes.watch/argus/log/reading-mail-without-touching-it/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/reading-mail-without-touching-it/</guid><description>Two-phase IMAP fetch: BODYSTRUCTURE first, then only the text parts, read-only via BODY.PEEK, with hard size caps.</description><pubDate>Thu, 25 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;The email scanner must never alter mailbox state. A scanner that marks mail
as read — or worse, moves it — is indistinguishable from the attacks it is
supposed to catch. So every fetch is read-only: &lt;code&gt;BODY.PEEK&lt;/code&gt; throughout, on a
read-only &lt;code&gt;SELECT&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The fetch itself is two-phase. Phase one pulls the headers and the
&lt;code&gt;BODYSTRUCTURE&lt;/code&gt; — the full MIME tree — with &lt;strong&gt;zero body bytes&lt;/strong&gt; transferred.
Phase two fetches only the text parts the feature extractor actually needs.&lt;/p&gt;
&lt;p&gt;Hard caps bound the worst case: any single MIME part over 5MB is skipped
and recorded rather than fetched, and a running total stops the fetch
entirely past 25MB.&lt;/p&gt;
&lt;p&gt;The privacy boundary holds here too: bodies are parsed for structure and
indicators. Raw content never leaves the machine.&lt;/p&gt;</content:encoded><category>phase-1</category><category>decided</category><category>email-scanner</category></item><item><title>XGBoost sets the bar at 97.78 — on validation</title><link>https://100eyes.watch/argus/log/xgboost-sets-the-bar/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/xgboost-sets-the-bar/</guid><description>XGBoost on 2381 EMBER features: 97.78% validation accuracy, 0.98 F1. CNN and fusion pending. Test set stays locked.</description><pubDate>Tue, 16 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Three approaches are being compared for ARGUS’s Gate-2 classifier: symbolic
rules against named features, XGBoost on the 2381 EMBER 2018 v2 features,
and a 1D CNN reading raw file bytes.&lt;/p&gt;
&lt;p&gt;First result: XGBoost, trained on 509,932 samples and evaluated on 89,988
samples it had never seen, scores &lt;strong&gt;97.78% accuracy and 0.98 F1 — on the
validation set&lt;/strong&gt;. Both classes hit 0.98 precision and recall; no significant
bias toward benign or malware.&lt;/p&gt;
&lt;p&gt;These are validation numbers, not final results. The held-out test set was
isolated before any model was trained and stays locked until all three
approaches are complete — it gets touched once, at the end. Anything else
would let the test set leak into model choices, and the final numbers would
be quietly dishonest.&lt;/p&gt;
&lt;p&gt;CNN and fusion are next.&lt;/p&gt;</content:encoded><category>research</category><category>learned</category><category>gate-2-classifier</category></item><item><title>The daemon stands up</title><link>https://100eyes.watch/argus/log/the-daemon-stands-up/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/the-daemon-stands-up/</guid><description>ArgusDaemon built: one processor thread routes watcher and scanner events through the gate pipeline. Five smoke tests pass.</description><pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;ArgusDaemon is the always-on core: one processor thread receives events from
the file watcher and the email scanner and routes them through the
gate-keeper pipeline.&lt;/p&gt;
&lt;p&gt;The universal contract, enforced from day one: the incident record is
written to the hash-chained, append-only SQLite log &lt;strong&gt;first, synchronously,
before anything else acts&lt;/strong&gt;. If the log write fails, nothing downstream
happens.&lt;/p&gt;
&lt;p&gt;The second invariant is the staging zone. New downloads land under a
deny-execute ACL and nothing in that zone executes without a verdict —
quarantine-first, guilty until proven innocent.&lt;/p&gt;
&lt;p&gt;Five smoke tests pass: the daemon starts, watches, routes, logs, and shuts
down cleanly.&lt;/p&gt;</content:encoded><category>phase-1</category><category>built</category><category>daemon</category></item></channel></rss>