trust posture · 2026-05-11

Security that
an auditor can read.

Plain-language posture statement. We tell you which primitives we use, where they live, what we store, and what we don’t. If something is missing here, assume the answer is “not yet”.

six pillars

What we built into the runtime.

Credentials never leave the broker.

Agents receive UCANs scoped to one action, one resource, one minute. The actual OAuth bearer is held by the PDP and used only for the authorized upstream call.

Policy is enforced before the call.

Cedar policies run on every request. The PDP refuses to mint a UCAN if any active policy denies. Visual edits round-trip through the parser before save — no drift.

Step-up by default for high-stakes actions.

Two-pass detection in the cedar engine flags risky calls. Nomos pushes a passkey prompt; only an authenticator-signed cosigner UCAN can release the action.

Every decision is replayable.

Hash-chained audit_events; daily Ed25519 signed roots; Cloudflare R2 Parquet archive on a 7-year lifecycle; open-source CLI verifier you can run offline.

Multi-tenant by construction.

Every Drizzle query in tenant-scoped code is filtered on customer_id. A cross-tenant integration test runs on every CI to fail loudly if invariant breaks.

Encrypted secrets at rest.

OAuth refresh tokens are encrypted with XChaCha20-Poly1305. Encryption keys live in env, separate from DB credentials. Daily Ed25519 signing keys live in env too.

crypto stack

What does what.

Every cryptographic operation goes through @auto-nomos/crypto, a thin wrapper around audited libraries from the @noble family. We never invent crypto.

surface
primitive
implementation
  • UCAN delegation
    EdDSA (Ed25519) over @noble/ed25519
    @auto-nomos/crypto
  • Token encryption
    XChaCha20-Poly1305 via @noble/ciphers
    OAUTH_TOKEN_ENCRYPTION_KEY env
  • Audit signing
    Ed25519 signature over canonicalized chain head
    AUDIT_SIGN_KEY env
  • Step-up cosigner
    WebAuthn assertion → cosigner UCAN
    browser authenticator
  • Random IDs
    crypto.randomUUID via @noble fallback
    @auto-nomos/crypto
  • Hash chain
    SHA-256 over canonicalized payload + prev hash
    audit_events.hash column
threat model

What we defend against.

Compromised agent / prompt injection.

A poisoned prompt convinces the agent to do something risky. Nomos denies the call at the policy gate; the agent never had a usable token in the first place. Step-up forces a human-in-the-loop on high-stakes actions even if the agent insists.

Credential exfiltration via responses.

Some upstream APIs leak tokens or secrets in responses (think GitHub PATs in webhook payloads). The PDP runs a response sanitizer that redacts known secret formats and zero-width Unicode before the agent sees the body.

Tampered audit log.

An attacker with DB access tries to redact a row. Hash chain breaks, daily signed root won't validate, the verifier CLI raises. All audit rows additionally archived to R2 with a 7-year lifecycle out of band.

Cross-tenant leakage.

A bug in a query forgets to filter on customer_id. The cross-tenant integration test on every CI fakes a tenant-B context and asserts no row from tenant-A is reachable. Failures block release.

Stolen API key.

An API key replaces a session for an agent. We rotate keys per environment, scope keys to one App, and revoke instantly via the dashboard. The audit chain shows the offending key's last call before revocation.

compliance posture

Where we stand.

Open beta. We’re building toward SOC 2 Type II in the v1.0 window. Until certified, the runtime is shippable for pre-prod and non-regulated workloads. Customer-edge PDP is available on day one for teams that need data-locality.

  • SOC 2 Type IItargeted v1.0
  • GDPR data exporton roadmap
  • Customer-edge PDPavailable
  • Audit retention7 years (R2)
  • Encryption at restXChaCha20
  • TLS in transitTLS 1.3 only
disclosure

Found something?
Tell us — we’ll listen.

We run coordinated disclosure. Email [email protected] with reproduction steps. We acknowledge in 24 hours, fix critical issues within 7 days, publish a CVE if appropriate, and credit you (or keep you anonymous — your call).

PGP

Public key fingerprint:

4F5C 8A91 AE3D 02E1 B73F · 2C70 19DA 884E 6C92 1FAE

read about the audit chain →