SECURITY & GOVERNANCE

Autonomy
you can audit.

The point of AI remediation is trusting it at 3AM. That trust isn’t a promise — it’s enforced, layer by layer, between any actor and your clients’ endpoints.

L1WireGuard meshSelf-hosted Headscale tunnel — no public attack surfacePLANNED
L2mTLS on gRPCCA-signed client certs from one-shot enrollment tokensPLANNED
L3Ed25519 signaturesEvery command signed per-request, verifiable end-to-endLIVE
L4Typed operationsNo arbitrary shell, ever — a hard security boundaryLIVE
L5Decision engineMulti-dimensional risk scoring gates every actionLIVE

Defense in depth, not defense in marketing.

Each layer holds independently once live. Three of five are enforced in production today — Ed25519 signing, typed-operation execution, and Decision-Engine risk scoring all sit on the hot path of every command, so a valid signed command still can’t skip the risk gate.

WireGuard mesh transport and mTLS have their keys and certs issued at enrollment today; wiring up verification on the transport itself is next. We’d rather tell you exactly where the line is than round up.

THE RISK GATE

Low risk runs. Critical risk waits for a senior approver.

The decision engine scores every proposed action across five dimensions — reversibility, blast radius, criticality, change category, confidence — into a single 0–205 score. The score decides the path:

SCORE 0–20 · LOW
Auto-execute
Restart a service, clear a temp directory. Snapshot taken, action runs, audit written — before a human could have opened the ticket.
SCORE 21–50 · ELEVATED
Auto-execute, watched
Still runs immediately — but with a lower alerting threshold and closer scrutiny on the outcome.
SCORE 51–80 · HIGH
Requires approval
The agent presents its diagnosis, plan and rollback path. A technician approves with one click — or edits the plan first.
SCORE 81–205 · CRITICAL
Requires senior approval
Destructive or wide-blast-radius operations escalate specifically to a senior approver — not just any technician.
DEFAULT ALLOW-LIST TODAY: PING · DIAGNOSTIC · BACKUP_CREATE — EVERYTHING ELSE IS DENIED BEFORE IT REACHES THE RISK SCORE DRIFT & POLICY PACKS USE THIS SAME GATE →
THE AUDIT CHAIN

Every action. Every actor. Every reason.

The audit trail is hash-chained — every entry’s hash is computed from the previous entry’s hash plus its own payload, so tampering breaks the chain instead of hiding in it.

Real event types, not paraphrases: drift.detected, decision.assessed, approval.requested/approved, command.authorized. When a client asks “what happened at 3AM?”, that’s the actual log you show them.

// audit chain — tenant: northwind-msp
03:12:41 drift.detected policy=guest-account · WS-0147
03:12:42 decision.assessed score 58/205 → require_approval
03:12:42 approval.requested queued for technician review
03:12:58 approval.approved [email protected]
03:12:59 command.authorized ACL: DIAGNOSTIC · agent
03:12:59 chain entry #84117 ⟵ sha256(prev + entry)
TENANT ISOLATION

Enforced by Postgres, not by promises.

Row-level security is enabled and forced on every tenant-scoped table. The application role carries NOBYPASSRLS — even a bug in our own code can’t cross tenants. Missing tenant context returns zero rows, not all rows. Above that sits RBAC: two system roles and seven tenant roles, checked against every route.

PROVEN BY CROSS-TENANT ISOLATION TESTS + A 357-CASE RBAC MATRIX, EVERY PUSH
BOUNDED AI COST

No surprise invoice at month end.

Per-tenant token budgets are enforced in the orchestrator. At 100% of budget, the platform automatically downgrades to on-device local AI — triage keeps working, the bill doesn’t grow. Bring any OpenAI-compatible provider: Claude, GPT, Ollama.

PROVIDER-AGNOSTIC · PROMPT-CACHE AWARE · LOCAL FALLBACK

Trust it at 3AM.
Verify it at 9AM.

Join the waitlist See the architecture