Security model

Trust & Security

What we trust. What we don't. Why this architecture prevents unauthorized agent actions.

Threat model

Nothing above the gateway is trusted.

The security perimeter begins at the Execution Gateway. Everything above it — the LLM, the agent framework, the SDK adapter — is treated as potentially compromised.

LLM
May hallucinate tool calls or parameters
UNTRUSTED
Agent Framework (LangChain)
May be buggy, may pass malformed invocations
UNTRUSTED
Mandate SDK / Adapter
Intercepts but does not evaluate — relays only
UNTRUSTED
━━ SECURITY PERIMETER ━━
Execution Gateway
Authenticated entry point, enforces no-bypass rule
TRUSTED
Control Plane (Policy, Identity, Approvals)
Sole authority for governance decisions
TRUSTED
Receipt Engine → Walrus
Content-addressed, append-only audit store
TRUSTED FOR IMMUTABILITY
Component invariants

Every component has invariants.

Execution Gateway

MUST

  • Receive ExecutionRequest from adapters
  • Authenticate agent using JWT/API key
  • Validate ExecutionRequest contract
  • Forward to Control Plane for policy evaluation
  • Hold execution until response received
  • Execute tool only on APPROVED decision

MUST NEVER

  • Evaluate policies itself
  • Store receipts directly
  • Authenticate users (not agents)
  • Make governance decisions
  • Allow tool execution without Control Plane decision

Policy Engine (OPA)

MUST

  • Evaluate every request against Rego policies
  • Return: APPROVED | DENIED | REQUIRE_APPROVAL
  • Reference matching policy rule in response
  • Complete evaluation within P95 < 5ms

MUST NEVER

  • Execute tools directly
  • Store receipts
  • Communicate directly with adapters
  • Cache decisions across agents

Approval Engine

MUST

  • Queue REQUIRE_APPROVAL requests for review
  • Surface full execution context to Console
  • Enforce timeout with default-deny
  • Return final decision to Gateway

MUST NEVER

  • Auto-approve any action
  • Modify request parameters
  • Extend its own timeout

Receipt Engine

MUST

  • Generate signed receipt for every terminal state
  • Include: execution_id, agent_id, tool, decision, timestamp
  • Store to Walrus (content-addressed)
  • Produce externally verifiable receipts

MUST NEVER

  • Modify or delete receipts
  • Generate receipt before terminal state
  • Skip receipt generation for any reason

Failure domains & deterministic behavior

Control Plane unreachableFail closed — execution blocked
Policy Engine failsFail closed — execution blocked
PostgreSQL failsReject execution (cannot read agent state)
Walrus unavailableQueue to PostgreSQL, retry async. Execution NOT blocked.
Adapter failsAgent execution fails at source. No gateway impact.
Network timeoutAdapter raises governed exception. No partial state.

Core principle: Every subsystem has a deterministic failure behavior. If the Control Plane is unreachable, execution fails closed — blocked, not open.

See the gate hold.

The console shows every decision live — approved, denied, held for a human, sealed to a receipt.