Copy-fail-destroyer: K8s remediation for CVE-2026-31431

Copy-Fail-Destroyer is an open-source Kubernetes DaemonSet agent from Norsk Helsenett targeting CVE-2026-31431, an algif_aead in-place logic flaw in Linux kernels 4.14 through 6.19.11 enabling unprivileged page-cache writes via AF_ALG sockets. The agent polls every 5 minutes, probes authenc(hmac(sha256),cbc(aes)) bindings non-destructively, and remediates via delete_module syscall or modprobe blacklisting, exposing four Prometheus metrics on port 9100. Platform and security engineers running unpatched nodes below kernel 6.19.12 or 6.18.22 should deploy immediately, especially in multi-tenant clusters where unprivileged write primitives are critical blast-radius risks. Unlike manual runbook remediation, this delivers fleet-wide automated detection and rollback with ArgoCD, Helm, and raw manifest support in a minimal scratch-based container image.