SECURITY & GOVERNANCE

Autonomy
you can audit.

The point of AI remediation is trusting it at 3AM. That trust isn’t a promise — it’s five enforced layers between any actor and your clients’ endpoints.

L1WireGuard meshSelf-hosted Headscale tunnel — no public attack surface
L2mTLS on gRPCCA-signed client certs from one-shot enrollment tokens
L3Ed25519 signaturesEvery command signed per-request, verifiable end-to-end
L4Typed operationsNo arbitrary shell, ever — a hard security boundary
L5Decision engineMulti-dimensional risk scoring gates every action

Defense in depth, not defense in marketing.

Each layer holds independently. A compromised network still can’t forge a command; a stolen cert still can’t run arbitrary code; a valid signed command still faces the risk gate before it touches an endpoint.

THE RISK GATE

Low risk runs. High risk waits for you.

The decision engine scores every proposed action across multiple dimensions — blast radius, reversibility, tenant policy, confidence. The score decides the path:

LOW RISK
Auto-execute
Restart a service, clear a temp directory. Snapshot taken, action runs, audit written — before a human could have opened the ticket.
MEDIUM RISK
Propose & approve
The agent presents its diagnosis, plan and rollback path. A technician approves with one click — or edits the plan first.
HIGH RISK
Human-only
Destructive or wide-blast-radius operations never auto-run. The AI investigates and briefs; a human decides and owns it.
THE AUDIT CHAIN

Every action. Every actor. Every reason.

The audit trail is hash-chained — each entry cryptographically references the previous one, so tampering is detectable, not deniable.

AI decisions log their full reasoning chain. When a client asks “what happened at 3AM?”, you show them — diagnosis, risk score, action, validation, outcome.

// audit chain — tenant: northwind-msp
03:12:41 ALERT disk_usage > 92% — WS-0147
03:12:44 AGENT diagnostic: log overflow in app spool
03:12:45 RISK  score 0.18 → auto-execute approved
03:12:46 SNAP  snapshot b41f…9c02 captured
03:12:49 EXEC  rotate_logs(spool) — sig ed25519:7d3a…
03:12:52 VALID disk_usage 41% — intent satisfied
03:12:52 CHAIN entry #84117 ⟵ sha256(#84116)
TENANT ISOLATION

Enforced by Postgres, not by promises.

Row-level security is enabled and forced on every tenant-scoped table. The application role carries NOBYPASSRLS — even a bug in our own code can’t cross tenants. Missing tenant context returns zero rows, not all rows.

PROVEN BY CROSS-TENANT ISOLATION TESTS IN CI, EVERY PUSH
BOUNDED AI COST

No surprise invoice at month end.

Per-tenant token budgets are enforced in the orchestrator. At 100% of budget, the platform automatically downgrades to on-device local AI — triage keeps working, the bill doesn’t grow. Bring any OpenAI-compatible provider: Claude, GPT, Ollama.

PROVIDER-AGNOSTIC · PROMPT-CACHE AWARE · LOCAL FALLBACK

Trust it at 3AM.
Verify it at 9AM.

Join the waitlist See the architecture