Credentials never leave the broker.
Agents receive UCANs scoped to one action, one resource, one minute. The actual OAuth bearer is held by the PDP and used only for the authorized upstream call.
Plain-language posture statement. We tell you which primitives we use, where they live, what we store, and what we don’t. If something is missing here, assume the answer is “not yet”.
Agents receive UCANs scoped to one action, one resource, one minute. The actual OAuth bearer is held by the PDP and used only for the authorized upstream call.
Cedar policies run on every request. The PDP refuses to mint a UCAN if any active policy denies. Visual edits round-trip through the parser before save — no drift.
Two-pass detection in the cedar engine flags risky calls. Nomos pushes a passkey prompt; only an authenticator-signed cosigner UCAN can release the action.
Hash-chained audit_events; daily Ed25519 signed roots; Cloudflare R2 Parquet archive on a 7-year lifecycle; open-source CLI verifier you can run offline.
Every Drizzle query in tenant-scoped code is filtered on customer_id. A cross-tenant integration test runs on every CI to fail loudly if invariant breaks.
OAuth refresh tokens are encrypted with XChaCha20-Poly1305. Encryption keys live in env, separate from DB credentials. Daily Ed25519 signing keys live in env too.
Every cryptographic operation goes through @auto-nomos/crypto, a thin wrapper around audited libraries from the @noble family. We never invent crypto.
A poisoned prompt convinces the agent to do something risky. Nomos denies the call at the policy gate; the agent never had a usable token in the first place. Step-up forces a human-in-the-loop on high-stakes actions even if the agent insists.
Some upstream APIs leak tokens or secrets in responses (think GitHub PATs in webhook payloads). The PDP runs a response sanitizer that redacts known secret formats and zero-width Unicode before the agent sees the body.
An attacker with DB access tries to redact a row. Hash chain breaks, daily signed root won't validate, the verifier CLI raises. All audit rows additionally archived to R2 with a 7-year lifecycle out of band.
A bug in a query forgets to filter on customer_id. The cross-tenant integration test on every CI fakes a tenant-B context and asserts no row from tenant-A is reachable. Failures block release.
An API key replaces a session for an agent. We rotate keys per environment, scope keys to one App, and revoke instantly via the dashboard. The audit chain shows the offending key's last call before revocation.
Open beta. We’re building toward SOC 2 Type II in the v1.0 window. Until certified, the runtime is shippable for pre-prod and non-regulated workloads. Customer-edge PDP is available on day one for teams that need data-locality.
We run coordinated disclosure. Email [email protected] with reproduction steps. We acknowledge in 24 hours, fix critical issues within 7 days, publish a CVE if appropriate, and credit you (or keep you anonymous — your call).
Public key fingerprint:
4F5C 8A91 AE3D 02E1 B73F · 2C70 19DA 884E 6C92 1FAE
read about the audit chain →