Zero Trust for AI Agents.
Ephemeral grants. Capability security. libkrun microVM isolation. Scoped filesystem access. Signed delegation. Audit logs. Receipts. Replay. Every agent action has a boundary and a record — built into the runtime, not bolted on as policy.
explicit authority · no ambient trust
Four zones. Each one earns access from the next.
Defense in depth as concentric boundaries — untrusted callers on the outside, workspace files in the center. Nothing crosses a boundary by accident.
callers — browsers, MCP clients, other agents
org auth, service identity, rate limits, audit log
managed agent process — no host creds, no broad fs
files reached only via signed grants
Eight zero-trust layers around every run.
Ephemeral grants
Ed25519-signed, audience-bound, time-limited. Constrained to file patterns and output prefixes. Expire by default.
Capability security
No ambient authority. Agents hold capabilities they were granted — never inherit the caller's full power.
Runtime isolation
libkrun microVM per run. Hardware boundary between agent code and host. Not a container, not a chroot.
Scoped FS access
Workspace clients enforce file patterns. No ambient filesystem. No directory traversal.
Signed delegation
Every agent-to-agent handoff carries a signed grant. Authority is provable, not assumed.
Audit logs
Every decision, grant, file op, and tool call recorded. Tamper-evident, queryable.
Receipts
Per-run receipts: inputs, grants, results, artifacts, evals, reviews. Cryptographically tied to the run.
Replay
Deterministic re-execution from the receipt. Same inputs, same grants, same outputs.
Sign once. Verify every call.
Each grant is a small signed token — audience-bound, path-filtered, time-limited. The runtime verifies six checks before any file op. Forged or stale tokens never reach the workspace.
Caller declares scope on the call site. Runtime constructs a minimal grant.
ctx.call(
"rfp-responder",
"draft",
args={...},
files=["rfp/*.pdf"],
outputs_prefix="rfp/draft/",
ttl="1h",
)Platform key signs the payload. Token is opaque to caller and callee.
{
"aud": "rfp-responder@svc",
"paths": ["rfp/*.pdf"],
"outputs": "rfp/draft/",
"exp": 1748137200,
"iat": 1748133600,
"jti": "grt_01HW2C…"
}Six checks run on every file op — not just at task start.
- signature valided25519 over header.payload
- audience matchescallee identity = aud
- not expirednow < exp
- path in globrequest matches paths[*]
- outputs prefix enforcedwrites must start with outputs/
- single-use guardjti not in revocation list
Returns 401. Audit event. No workspace touch.
Returns 403. File op never reaches the workspace client.
Returns 401. Callee can request_scope() for a fresh grant.
Agents can ask for more. Humans decide.
A specialist needs files the planner didn't grant. It opens an approval request mid-task. A human approves in the dashboard; the runtime rotates the grant; the receipt records both scopes. Authority expands explicitly — never silently.
Most agent failures are over-broad authority. Scope expansion turns the failure mode into a deliberate, human-witnessed, receipt-anchored event.
Proof is a security primitive.
A run receipt connects who called, what authority it had, which files it touched, what it produced, how it was evaluated, whether a human reviewed. Agent output becomes inspectable and reproducible.
Receipts link. Trust compounds.
Every receipt links eight pieces of evidence — identity, intent, authority, files, output, eval, review, replay. Each one signed and content-addressed. The chain is the audit.
Every block is content-addressed and signed. Mutating any field invalidates the chain. Auditors verify by replaying the receipt against the original inputs — same hash, same output, same score.
Built for serious production review.
The platform is explicit about security work that matters for enterprise deployments: tenant isolation, grant signing, sandbox validation, secret rotation, audit surfaces.