<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>100eyes.watch</title><description>The watchtower around ARGUS, built in public.</description><link>https://100eyes.watch/</link><item><title>Template check: code, footnotes, tags</title><link>https://100eyes.watch/blog/template-check/</link><guid isPermaLink="true">https://100eyes.watch/blog/template-check/</guid><description>A placeholder post that exercises the post template — a code block, a footnote, and tag routing. Real writing replaces this.</description><pubDate>Fri, 03 Jul 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;This post is scaffolding, not an article. It exists to prove the blog
template renders correctly — a code block, a footnote&lt;sup&gt;&lt;a href=&quot;#user-content-fn-1&quot; id=&quot;user-content-fnref-1&quot; data-footnote-ref=&quot;true&quot; aria-describedby=&quot;footnote-label&quot;&gt;1&lt;/a&gt;&lt;/sup&gt;, and the tag link
below — before real writing replaces it in its own session.&lt;/p&gt;
&lt;pre class=&quot;astro-code 100eyes-watch shiki-pre&quot; tabindex=&quot;0&quot; data-language=&quot;bash&quot;&gt;&lt;code&gt;&lt;span class=&quot;line&quot;&gt;&lt;span class=&quot;sk-accent&quot;&gt;echo&lt;/span&gt;&lt;span class=&quot;sk-muted&quot;&gt; &quot;&lt;/span&gt;&lt;span class=&quot;sk-fg&quot;&gt;this line is intentionally long to force horizontal scroll inside the code block itself on a 360px viewport, without ever breaking the page&apos;s own layout&lt;/span&gt;&lt;span class=&quot;sk-muted&quot;&gt;&quot;&lt;/span&gt;&lt;span class=&quot;sk-muted&quot;&gt; &amp;#x26;&amp;#x26;&lt;/span&gt;&lt;span class=&quot;sk-accent&quot;&gt; exit&lt;/span&gt;&lt;span class=&quot;sk-fg&quot;&gt; 0&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;
&lt;section data-footnotes=&quot;true&quot; class=&quot;footnotes&quot;&gt;&lt;h2 class=&quot;sr-only&quot; id=&quot;footnote-label&quot;&gt;Footnotes&lt;/h2&gt;
&lt;ol&gt;
&lt;li id=&quot;user-content-fn-1&quot;&gt;
&lt;p&gt;This is the footnote. Its return link must be reachable by keyboard alone, same as every other link on the page. &lt;a href=&quot;#user-content-fnref-1&quot; data-footnote-backref aria-label=&quot;Back to reference 1&quot; class=&quot;data-footnote-backref&quot;&gt;↩&lt;/a&gt;&lt;/p&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;/section&gt;</content:encoded><category>meta</category></item><item><title>Reading mail without touching it</title><link>https://100eyes.watch/argus/log/reading-mail-without-touching-it/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/reading-mail-without-touching-it/</guid><description>Two-phase IMAP fetch: BODYSTRUCTURE first, then only the text parts, read-only via BODY.PEEK, with hard size caps.</description><pubDate>Thu, 25 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;The email scanner must never alter mailbox state. A scanner that marks mail
as read — or worse, moves it — is indistinguishable from the attacks it is
supposed to catch. So every fetch is read-only: &lt;code&gt;BODY.PEEK&lt;/code&gt; throughout, on a
read-only &lt;code&gt;SELECT&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;The fetch itself is two-phase. Phase one pulls the headers and the
&lt;code&gt;BODYSTRUCTURE&lt;/code&gt; — the full MIME tree — with &lt;strong&gt;zero body bytes&lt;/strong&gt; transferred.
Phase two fetches only the text parts the feature extractor actually needs.&lt;/p&gt;
&lt;p&gt;Hard caps bound the worst case: any single MIME part over 5MB is skipped
and recorded rather than fetched, and a running total stops the fetch
entirely past 25MB.&lt;/p&gt;
&lt;p&gt;The privacy boundary holds here too: bodies are parsed for structure and
indicators. Raw content never leaves the machine.&lt;/p&gt;</content:encoded><category>phase-1</category><category>decided</category><category>email-scanner</category></item><item><title>XGBoost sets the bar at 97.78 — on validation</title><link>https://100eyes.watch/argus/log/xgboost-sets-the-bar/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/xgboost-sets-the-bar/</guid><description>XGBoost on 2381 EMBER features: 97.78% validation accuracy, 0.98 F1. CNN and fusion pending. Test set stays locked.</description><pubDate>Tue, 16 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;Three approaches are being compared for ARGUS’s Gate-2 classifier: symbolic
rules against named features, XGBoost on the 2381 EMBER 2018 v2 features,
and a 1D CNN reading raw file bytes.&lt;/p&gt;
&lt;p&gt;First result: XGBoost, trained on 509,932 samples and evaluated on 89,988
samples it had never seen, scores &lt;strong&gt;97.78% accuracy and 0.98 F1 — on the
validation set&lt;/strong&gt;. Both classes hit 0.98 precision and recall; no significant
bias toward benign or malware.&lt;/p&gt;
&lt;p&gt;These are validation numbers, not final results. The held-out test set was
isolated before any model was trained and stays locked until all three
approaches are complete — it gets touched once, at the end. Anything else
would let the test set leak into model choices, and the final numbers would
be quietly dishonest.&lt;/p&gt;
&lt;p&gt;CNN and fusion are next.&lt;/p&gt;</content:encoded><category>research</category><category>learned</category><category>gate-2-classifier</category></item><item><title>The daemon stands up</title><link>https://100eyes.watch/argus/log/the-daemon-stands-up/</link><guid isPermaLink="true">https://100eyes.watch/argus/log/the-daemon-stands-up/</guid><description>ArgusDaemon built: one processor thread routes watcher and scanner events through the gate pipeline. Five smoke tests pass.</description><pubDate>Tue, 09 Jun 2026 00:00:00 GMT</pubDate><content:encoded>&lt;p&gt;ArgusDaemon is the always-on core: one processor thread receives events from
the file watcher and the email scanner and routes them through the
gate-keeper pipeline.&lt;/p&gt;
&lt;p&gt;The universal contract, enforced from day one: the incident record is
written to the hash-chained, append-only SQLite log &lt;strong&gt;first, synchronously,
before anything else acts&lt;/strong&gt;. If the log write fails, nothing downstream
happens.&lt;/p&gt;
&lt;p&gt;The second invariant is the staging zone. New downloads land under a
deny-execute ACL and nothing in that zone executes without a verdict —
quarantine-first, guilty until proven innocent.&lt;/p&gt;
&lt;p&gt;Five smoke tests pass: the daemon starts, watches, routes, logs, and shuts
down cleanly.&lt;/p&gt;</content:encoded><category>phase-1</category><category>built</category><category>daemon</category></item></channel></rss>