Security

An agent that asks before it acts.

Every privilege granted. Every action recorded. Floor identical on every tier.

Read SECURITY.md Report a vuln ↗

0Customer code on our infra

4Approval modes

30+Built-in secret patterns

100%Audit log hash-chained

The trust boundary

One bridge. Three rules.

Reads are screened

OS-layer refusal of .env, .ssh, credentials. Not just trust — structural.

Writes ask

Every write and shell command pauses at the approval gate. Always.

Actions chain

Hash-chained audit log. Tamper-evident. Verifiable from genesis.

Four postures

Pick what fits.

○

Permissive

auto-run

EDIT · users.ts

ran

◐

Standard

approve once

EDIT · users.ts

Approve ↩Reject

◑

Strict

approve each

READ · users.ts

Approve ↩Reject

●

Paranoid

type to confirm

rm -rf node_modules

type "delete"

Defense-in-depth

What the agent can never read.

.env*

Every dotenv variant. Custom patterns on Pro+.

.ssh/*

Every SSH key. Hard wall — no partial reads.

credentials*

AWS · gcloud · GitHub. Canonical cloud-CLI paths.

vault.yaml

Vault · *.kubeconfig · /secrets/. Common deployment paths.

Enterprise · Gov

Sovereignty, compliance, audit pack.

Customer-rooted issuer

Your Ed25519 key signs licenses. We can't revoke.

FIPS 140-3

Allowlist evaluator restricts to FIPS primitives.

PIV / CAC

X.509 + challenge. U.S. federal smart-card flow.

Air-gap

Local-only AI · offline issuer · manual updates.

SAML + SCIM

Full XML-DSig verify. Standards-compliant SSO.

SBOM + SOC 2

Signed CycloneDX 1.5 · NDA pack in <5 days.

Security as a feature.

Read SECURITY.md Report a vuln ↗