Physically Unavoidable. Zero Trust.
Autonomous agents execute arbitrary code, make HTTP requests, and chain tool calls in a ReAct loop. The LLM driving them is untrusted. Every security boundary in this architecture is physically unavoidable. Enforcement happens at layers that code cannot bypass.
Defense-in-Depth Status
All boundaries active
Defense in Depth. By Design.
Independent security boundaries that compose on every request. Each enforced at a layer that application code cannot bypass: kernel firewall rules, network-level proxies, in-process memory isolation, cryptographic authentication. More are added with every release.
Credential Broker
Worker ProcessThe LLM never sees real tokens. Opaque handles replace OAuth credentials in the context window. Cryptographically random, time-bounded, scoped to a single agent run. The real token is injected at HTTP request time and never returned. Handles are revoked automatically when the run ends. A compromised LLM has nothing to extract.
Egress Policy
Worker ProcessMethod-aware URL validation. GET requests reach any public host. Write operations (POST, PUT, PATCH, DELETE) are restricted to approved integration hosts only. The approved set is built from the agent's active integrations. HTTPS enforced on all writes. Write requests never follow redirects. Redirect-based SSRF: eliminated.
DNS Rebinding Defense
Worker ProcessDNS resolution, IP validation, and TCP connection happen in one atomic step at the network stack. Zero time-of-check-to-time-of-use gap. Every resolved IP is checked against private, loopback, link-local, and reserved ranges. Unresolvable hostnames are blocked. Punycode and IDN homograph attacks are caught through normalization.
Egress Proxy
Exec ContainerNetwork-level proxy on an isolated Docker network. Kernel-level iptables rules block all external traffic from execution containers. The proxy is the only path out. Write operations denied from all containers. Encrypted tunneling restricted to package repositories. Proxy goes down? Zero internet access. Not degraded. Zero.
Token Scrubbing
Worker ProcessPattern-matching scrubber runs at every output boundary: LLM context, event stream, audit log, tool history, and error messages. Catches OAuth tokens, provider API keys, JWTs, and internal handles across all major providers. Pure function with bounded recursion. Cannot crash. Cannot introduce failures.
WebSocket Auth
API ServerAuthentication token required before connection acceptance. Signature and expiry verified. Organization ownership checked against the database. One organization's token cannot access another organization's conversations. Write operations route through message queues. No direct process access from the socket layer.
Container Hardening
Exec ContainerNon-root execution. All Linux capabilities dropped. Privilege escalation blocked at the kernel level. Read-only root filesystem with ephemeral scratch space. Per-organization containers with organization-specific folder mounts only. Memory and CPU limits enforced. Cross-organization file access: physically impossible.
Defense That Composes.
An agent writes to an external calendar API. Multiple boundaries activate in sequence. No single boundary is responsible for security. They compose.
Egress Policy
Validate outbound request
Approved integration host. HTTPS enforced.
Credential Broker
Resolve credentials for integration
Opaque handle issued. Real token stays in memory.
DNS Rebinding Defense
Validate all resolved IPs at connection time
All IPs public. Atomic resolve-validate-connect.
Authenticated Request
Real token injected at request time only
Response received. Token never in return value.
Token Scrubbing
Scrub all output channels
Patterns matched. Clean result to LLM context.
Locked Down. Fail Closed.
Every execution container ships with 6 hardening layers. And when any security component is missing, production refuses to start. Graceful degradation in security is a vulnerability.
Container Hardening
Agents execute arbitrary Python inside Docker containers. Each container gets 6 hardening layers. Per-org containers make cross-organization file access physically impossible.
Production Refuses to Run Insecure
A single environment flag separates dev from production. In production, missing security components cause hard errors. Not warnings. Not fallbacks. The system does not start.
Default secret key
Missing encryption key
Missing credential broker
Missing egress policy
Egress proxy down
Missing auth token
Technical Specifications
- Security model
- Defense-in-depth, composable, expanding
- Boundaries per request
- Multiple activate in sequence
- Token scrubbing
- Every output boundary, all major providers
- Credential handles
- Time-bounded, auto-renewed, run-scoped
- Egress control
- Method-aware, per-integration host approval
- Container privileges
- Non-root, zero capabilities, no escalation
- Container filesystem
- Read-only root, ephemeral scratch
- Network isolation
- Kernel-level iptables enforcement
- Encryption at rest
- AES-256
- Encryption in transit
- TLS 1.2+ (1.0 and 1.1 disabled)
- Security headers
- HSTS, X-Frame-Options, X-Content-Type-Options
- Production startup
- Hard crash on insecure defaults
- Token refresh
- Distributed lock, crash-safe
- Dev/prod toggle
- Single environment variable
Security Deep Dives
One thesis: security that scales with autonomy must be structural, countable, and physically unavoidable.
Every layer between your data and everything else.
Deploy on your machine. Keep your keys. Control every folder, every connection, every credential. Nothing leaves unless you allow it.