Security Architecture
Six enforcement layers between AI intent and real-world execution. Each layer operates independently. Failure of one does not compromise the others.
Enforcement Layers
Budget Circuit Breaker
lib/budget-gate.tsHard deny when tenant hits $/requests/tokens threshold. No exception path.
Rate/Loop Breaker
lib/rate-gate.tsDetects repeated proposals and runaway loops via payload hash tracking.
Egress Secret/PII Gate
lib/egress-gate.tsScans outbound payloads for API keys, credentials, SSNs, credit cards, and bulk PII.
Policy Enforcer
lib/policy-enforcer.tsDeterministic rule evaluation against tenant policy manifest. Pure function, no side effects.
Secure Executor
lib/secure-executor.tsThe only pathway for side effects. Enforces idempotency and logs to hash-linked ledger.
DB Write Guard
lib/db-guard.tsPrisma middleware that blocks writes outside authorized SecureExecutor context.
Threat Model Coverage
| Threat | Mitigation | Status |
|---|---|---|
| Runaway Agent Loop | Loop detection via payload hash + auto-lockdown | |
| Budget Exhaustion | Pre-execution budget check + hard deny | |
| PII Exfiltration | Egress scanning + CRITICAL severity block | |
| Credential Leakage | API key pattern detection in all payloads | |
| Audit Log Tampering | SHA-256 hash chain + replay verification | |
| Policy Bypass | Single gate architecture + DB write guard | |
| Double Execution | UNIQUE constraint + idempotency check | |
| Insider Manipulation | Lockdown audit trail + role separation |
Tamper-Evident Hash Chain
Every PolicyProposal, PolicyDecision, and PolicyExecution record includes:
{
"prevHash": "sha256(previousRecord)",
"hash": "sha256(id + type + payload + prevHash)"
}
// Any manual database edit breaks the chain:
verifyChain(records) → ❌ INTEGRITY_VIOLATIONThe replay endpoint can re-run any historical decision against the policy version that produced it, proving consistency and detecting any drift or tampering.