Security model
Trust & Security
What we trust. What we don't. Why this architecture prevents unauthorized agent actions.
Threat model
Nothing above the gateway is trusted.
The security perimeter begins at the Execution Gateway. Everything above it — the LLM, the agent framework, the SDK adapter — is treated as potentially compromised.
LLM
May hallucinate tool calls or parameters
Agent Framework (LangChain)
May be buggy, may pass malformed invocations
Mandate SDK / Adapter
Intercepts but does not evaluate — relays only
━━ SECURITY PERIMETER ━━
Execution Gateway
Authenticated entry point, enforces no-bypass rule
Control Plane (Policy, Identity, Approvals)
Sole authority for governance decisions
Receipt Engine → Walrus
Content-addressed, append-only audit store
Component invariants
Every component has invariants.
Execution Gateway
MUST
- • Receive ExecutionRequest from adapters
- • Authenticate agent using JWT/API key
- • Validate ExecutionRequest contract
- • Forward to Control Plane for policy evaluation
- • Hold execution until response received
- • Execute tool only on APPROVED decision
MUST NEVER
- • Evaluate policies itself
- • Store receipts directly
- • Authenticate users (not agents)
- • Make governance decisions
- • Allow tool execution without Control Plane decision
Policy Engine (OPA)
MUST
- • Evaluate every request against Rego policies
- • Return: APPROVED | DENIED | REQUIRE_APPROVAL
- • Reference matching policy rule in response
- • Complete evaluation within P95 < 5ms
MUST NEVER
- • Execute tools directly
- • Store receipts
- • Communicate directly with adapters
- • Cache decisions across agents
Approval Engine
MUST
- • Queue REQUIRE_APPROVAL requests for review
- • Surface full execution context to Console
- • Enforce timeout with default-deny
- • Return final decision to Gateway
MUST NEVER
- • Auto-approve any action
- • Modify request parameters
- • Extend its own timeout
Receipt Engine
MUST
- • Generate signed receipt for every terminal state
- • Include: execution_id, agent_id, tool, decision, timestamp
- • Store to Walrus (content-addressed)
- • Produce externally verifiable receipts
MUST NEVER
- • Modify or delete receipts
- • Generate receipt before terminal state
- • Skip receipt generation for any reason
Failure domains & deterministic behavior
Control Plane unreachableFail closed — execution blocked
Policy Engine failsFail closed — execution blocked
PostgreSQL failsReject execution (cannot read agent state)
Walrus unavailableQueue to PostgreSQL, retry async. Execution NOT blocked.
Adapter failsAgent execution fails at source. No gateway impact.
Network timeoutAdapter raises governed exception. No partial state.
Core principle: Every subsystem has a deterministic failure behavior. If the Control Plane is unreachable, execution fails closed — blocked, not open.
See the gate hold.
The console shows every decision live — approved, denied, held for a human, sealed to a receipt.