ErenAri/Aegis-BPF

Summary

Docs-only patch release. No code changes; the agent binary is identical to v0.4.0. You do not need to upgrade unless you care about the published claims.

This release closes two documentation drifts that slipped through v0.4.0:

1. Unverified head-to-head performance claims removed from README.md and from the research paper / conference abstracts. These claimed per-syscall latency, memory footprint, and policy-reload numbers for Falco, Tetragon, and Tracee that had never been measured on the same hardware in this repository. docs/PERFORMANCE_COMPARISON.md had already been rewritten to drop these numbers earlier in the v0.4.x cycle; the README and the research/ abstracts were missed during that pass.

2. SECURITY.md rolled forward. v0.4.0 actually shipped today, so the "0.4.x pre-release, not yet published" line was factually wrong. The version table now lists 0.4.x as current stable and 0.3.x as previous-minor (critical fixes only), matching the N / N-1 window in docs/SUPPORT_POLICY.md.

What changed

• README.md: comparison table replaced with an architectural-only table (adds KubeArmor column, adds OverlayFS copy-up and IMA exec identity rows, drops the µs / MB / reload numbers). Explicit "what is not in this table" block now points at docs/PERFORMANCE_COMPARISON.md and scripts/compare_runtime_security.sh.
• SECURITY.md: 0.4.x → Supported (current stable); 0.3.x → Supported (previous minor, critical fixes); 0.2.x → End of Life.
• research/paper-outline.md: abstract no longer claims "0.1–0.5 µs vs 2–8 µs for comparable tools" or "~15 MB vs 45–120 MB".
• research/conference-proposals.md: two abstracts cleaned of the same peer-comparison numbers.

What is explicitly NOT in this release

• No new competitive performance numbers to replace the old ones. A reproducible comparative harness (scripts/compare_runtime_security.sh) is shipped so readers can produce their own same-host comparison. Until that harness has been run on a clean multi-agent host with published methodology, this repository makes no peer-tool latency or memory claims.
• No code changes. No BPF object changes. No operator CRD changes.

Known items deferred to v0.5.0

These came out of a strategic review alongside the honesty patch and are planned for the next minor release, not this patch:

• operator/api/v1alpha1/PolicySelector currently uses map[string]string + []string. Upgrading to metav1.LabelSelector (with matchExpressions) is planned for v0.5.0.
• AegisPolicySpec.Mode is currently policy-wide (enforce | audit). Per-rule Action on FileRule, NetworkRule, and ExecRule is planned for v0.5.0.
• docs/ARCHITECTURE_SUPPORT.md still contains solo AegisBPF microsecond/MB figures that predate the honest PERF_BASELINE.md numbers. Cleaning these up is tracked separately.

Verifying the release

The source tree at v0.4.1 builds the same binary as v0.4.0. Build and self-test:

git checkout v0.4.1
cmake -S . -B build -G Ninja -DCMAKE_BUILD_TYPE=Release
cmake --build build -j$(nproc)
./build/aegisbpf --version

Credit

Honesty patch prompted by an external strategic review flagging that the v0.4.0 README still contained comparison claims the repository could not back with measured evidence. The critique was right, and this release is the fix.