Category 09 of 12
Trust, Governance & Security
Production controls for autonomous agents: budgets, human approvals, audit trails, prompt-injection defense, secret redaction, and the extension sandbox.
Pages in this category
Workspace/day and agent/month spend ceilings, pre-spend assertion, and an AbortSignal-threaded circuit breaker that actually stops a run.
Human gates for overruns, outbound safety, and workflow decisions; a revise decision sends work back with feedback.
Action attribution with node-level token accounting from a single sink — no anonymous spend.
Ask, Plan, and Auto, plus deployment + per-workspace autonomy toggles that decide how much a run can do unsupervised.
Every run streams reasoning, a live activity tail back-fills a surface opened mid-run, and a realtime token pill shows spend as it accrues.
The Experiment primitive: define, assign, record, and read results — A/B-style assignment and outcome tracking, feeding the same trust + learning loop the Brain uses.
AES-256-GCM credential encryption, hashed API keys, and an auto-generated RS256 JWT keypair with workspace–user ownership re-checked on every request.
Scanning untrusted ingested content for injection carriers, neutralizing invisible characters, and raising approval friction rather than pretending pattern-matching is complete.
Key-name and value-pattern redaction that masks vault values, API keys, and JWTs out of logs, transcripts, and the realtime event bus.
node:vm by default, isolated-vm or opt-in Docker to harden it further — least-privilege permissions for agent-authored code.
SSRF protection on every outbound call, secrets resolved from the vault at call time, and rate limiting plus security headers at the edge.