Explicit authority. No ambient trust.
Every agent action has a boundary and a record. Service identity, scoped grants, sandboxed execution, persistent workspaces, approval points, auditable receipts — built in.
Four zones. Each one earns access from the next.
Defense in depth as concentric boundaries — untrusted callers on the outside, workspace files in the center. Nothing crosses a boundary by accident.
callers — browsers, MCP clients, other agents
org auth, service identity, rate limits, audit log
managed agent process — no host creds, no broad fs
files reached only via signed grants
Eight layers around every run.
User auth
Dashboard and API use account identity, org context, token sessions.
Agent auth
Each hosted agent has a service identity and runtime API boundary for platform calls.
Scoped grants
HMAC-signed, audience-bound, time-limited, constrained to file patterns and output prefixes.
Sandbox runtime
Code execution isolated behind a hardened runtime boundary, not broad application authority.
Workspace storage
Files and artifacts in object storage. Agents reach them only through workspace clients.
Approvals
Agents request expanded scope or sensitive actions; humans approve before authority changes.
Proof trail
Receipts can include input hashes, grants, results, artifacts, file ops, scores, review notes.
Release trail
Managed deploys preserve version, release, config, runtime history.
Sign once. Verify every call.
Each grant is a small signed token — audience-bound, path-filtered, time-limited. The runtime verifies six checks before any file op. Forged or stale tokens never reach the workspace.
Caller declares scope on the call site. Runtime constructs a minimal grant.
ctx.call(
"rfp-responder",
"draft",
args={...},
files=["rfp/*.pdf"],
outputs_prefix="rfp/draft/",
ttl="1h",
)Platform key signs the payload. Token is opaque to caller and callee.
{
"aud": "rfp-responder@svc",
"paths": ["rfp/*.pdf"],
"outputs": "rfp/draft/",
"exp": 1748137200,
"iat": 1748133600,
"jti": "grt_01HW2C…"
}Six checks run on every file op — not just at task start.
- signature validhmac-sha256 over header.payload
- audience matchescallee identity = aud
- not expirednow < exp
- path in globrequest matches paths[*]
- outputs prefix enforcedwrites must start with outputs/
- single-use guardjti not in revocation list
Returns 401. Audit event. No workspace touch.
Returns 403. File op never reaches the workspace client.
Returns 401. Callee can request_scope() for a fresh grant.
Agents can ask for more. Humans decide.
A specialist needs files the planner didn't grant. It opens an approval request mid-task. A human approves in the dashboard; the runtime rotates the grant; the receipt records both scopes. Authority expands explicitly — never silently.
Most agent failures are over-broad authority. Scope expansion turns the failure mode into a deliberate, human-witnessed, receipt-anchored event.
Proof is a security primitive.
A run receipt connects who called, what authority it had, which files it touched, what it produced, how it was evaluated, whether a human reviewed. Agent output becomes inspectable and reproducible.
- Agent name, version, card hash, image, endpoint.
- Skill name, args preview, status, elapsed time, result preview.
- Grant identity, file access scope, output paths, file ops.
- Events, artifacts, eval scores, replay data, review notes.
Receipts link. Trust compounds.
Every receipt links eight pieces of evidence — identity, intent, authority, files, output, eval, review, replay. Each one signed and content-addressed. The chain is the audit.
Every block is content-addressed and signed. Mutating any field invalidates the chain. Auditors verify by replaying the receipt against the original inputs — same hash, same output, same score.
Built for serious production review.
The platform is explicit about security work that matters for enterprise deployments: tenant isolation, grant signing, sandbox validation, secret rotation, audit surfaces.