Security engineered in. Not bolted on.

Protects against: Prompt injection & jailbreaks

A semantic scoring engine weighs jailbreak phrasing, role markers, dangerous commands, secret formats, prompt-extraction and credential-logging attempts. Typoglycemia detection catches scrambled-letter evasion; code-block exclusion avoids false positives. Three risk levels (low/medium/high) with configurable actions: pass, warn, reinforce, or block.

Protects against: Secret leakage & data exfiltration

Scans every LLM response for 15 secret patterns (AWS keys, bearer tokens, JWTs, database connection strings), canary token leakage, and system prompt extraction attempts. Critical findings are redacted as [REDACTED] before delivery.

Protects against: Indirect prompt injection

All external content (web fetches, API responses, emails, webhooks) is wrapped in randomized 24-hex-char security delimiters with an explicit warning header. The LLM sees clear boundaries between trusted instructions and untrusted content.

Protects against: Invisible character injection

Strips 15+ categories of invisible Unicode characters (U+200B-200F, U+2060, FEFF, U+00AD, tag block U+E0000-E007F) while preserving legitimate flag emoji. Prevents hidden instruction embedding.

Protects against: Repeated injection attempts

Per-user sliding 5-minute window with progressive thresholds: warn at 3 detections, audit at 5. TTL-based eviction with 10K entry cap to prevent memory exhaustion.

Protects against: Credential exposure

AES-256-GCM encryption at rest with HKDF-SHA256 key derivation and per-encryption random salts. Defensive snapshot of environment at creation - no mutation tracking. No enumeration API. Diagnostic errors include the missing key name but never the value.

Protects against: Cross-agent credential access

Per-agent glob-pattern filtering (e.g., OPENAI_*, ANTHROPIC_*). Decorator pattern: indistinguishable from plain SecretManager. Audit events (secret:accessed) log every access attempt with success/denied/not_found outcomes.

Protects against: API key exposure via agentic CLIs

Works for API-key CLIs - Claude Code included. The real key stays in the daemon's AES-256-GCM encrypted store and is resolved per request by the in-daemon HTTPS broker. The CLI runs with a placeholder; the broker terminates TLS with its own CA, verifies the single-use proxy token, and injects the real credential for allow-listed hosts (`x-api-key`, `Authorization: Bearer`, or query param). On supported Linux hosts, broker-only network mode prevents direct egress from credentialed sandboxes. Broker failures stop before upstream forwarding: bad token -> 407, no binding -> 403, missing secret -> 502. Every inject, deny, and blocked-egress event is audited with `agentId` and `traceId`.

Protects against: Secrets in logs

Three layers deep: Pino fast-redact for structured fields, a regex-based sanitizer for free-text credential detection, and ReDoS mitigation with a 1MB input cap. Defense-in-depth - any single layer failing doesn't expose secrets.

Protects against: Server-side request forgery

DNS-pinned URL validation before every outbound fetch. Blocks private RFC 1918 ranges, loopback, link-local, and explicitly blocks cloud metadata IPs (169.254.169.254 for AWS/GCP/Azure, 100.100.100.200 for Alibaba). HTTP/HTTPS only.

Protects against: Filesystem escape & host compromise

Sandboxed filesystem isolation for shell commands where the host supports it. Linux uses bubblewrap (bwrap) with full namespace unsharing (mount, PID, user, cgroup, IPC). macOS uses sandbox-exec with SBPL deny-default profiles where available. Agents can be limited to their own workspace, with package manager caches redirected into that workspace and process tree kill cascades via --die-with-parent.

Protects against: Unauthorized tool access

Named profiles (minimal, coding, messaging, supervisor, full) with group-based expansion. Per-agent allow/deny lists. The minimal profile exposes only exec, read, write - no memory, no web, no messaging.

Protects against: Unsupervised destructive actions

In-memory request queue with configurable timeouts. Dual caching: approval cache (30s) and denial cache (60s) with mutual invalidation. Batch parallel requests join existing pending entries. Graceful shutdown denies all pending.

Protects against: Memory poisoning via indirect injection

Three trust levels: system (platform-injected, highest), learned (from conversation), external (from tools/APIs/web, lowest). Low-trust sources can't overwrite high-trust memories. Provenance tracking records who stored each entry, from which channel, at which trust level.

Protects against: Dangerous patterns persisted in memory

Every memory entry passes through a security scan before storage. Blocks injection patterns, encoded payloads, and instruction-like content from being persisted where it could later surface via RAG retrieval and influence agent behavior.

Protects against: Poisoned memories surfacing in retrieval

RAG retrieval excludes external-trust memories by default. Only system and learned memories are returned unless explicitly requested. Prevents low-trust content from web scrapes, API responses, or tool outputs from influencing agent reasoning through semantic search.

Protects against: System prompt extraction

Deterministic per-session HMAC-SHA256 tokens (CTKN_{16 hex chars}) injected into the system prompt. If the token appears in a response, the OutputGuard detects leakage and redacts it. Proves the LLM was tricked into revealing system instructions.

Protects against: Unauthorized API access via token guessing

Timing-safe bearer token comparison using crypto.timingSafeEqual. Eliminates timing side channels that could leak token bytes through response latency differences. All API endpoints require authentication by default.

Protects against: Unauthorized client connections

Mutual TLS certificate validation with Common Name (CN) extraction for client identity. Establishes cryptographic client identity at the transport layer before any application logic executes.

Protects against: Forged webhook deliveries

HMAC-SHA256/384/512 signature verification on all incoming webhooks. Timestamp freshness checks with a 5-minute replay window prevent captured webhook payloads from being replayed later.

Protects against: Runaway LLM costs

Three-tier token budgets (per-execution, per-hour, per-day) checked before the LLM call, not after. A prompt injection that tries to exhaust your API budget is stopped before it costs anything. Context window guard blocks at 95% utilization.

Protects against: Cascading provider failures

Three-state machine (closed/open/halfOpen) per model and provider. Tracks consecutive failures and latency. When open, returns a fallback response immediately instead of propagating the failure. Automatic recovery via half-open probes.

Protects against: Indirect injection via tool results

Normalizes NFKC Unicode, strips invisible characters, detects instruction-like patterns in tool output, and truncates oversized results at newline boundaries (50K char default). Catches injection attempts that arrive through tool results rather than user input.

Protects against: Malicious skills loaded at runtime

Every skill is screened before it can run. 18 rules cover exec injection, exfiltration, and XML breakout, applied at skill-load time. This is the canonical 18 - it belongs to the content scanner.

Protects against: Known-bad third-party tool servers

MCP packages are checked against the OSV malware database before they ever spawn for the first time. A flagged package never starts.

Protects against: Insecure code patterns reaching main

Named bans block insecure patterns in CI before merge: no path.join, no process.env, no eval/new Function, no swallowed errors - backed by architecture-as-tests that fail the build on regression.

Protects against: Unsupervised or unrecognized destructive actions

Destructive actions pause for HMAC-signed operator approval via chat buttons. Unknown action types classify as destructive and fail closed - the default is to stop and ask, never to assume an unrecognized action is safe.