Security overview

Built so a leaked prompt can't become a leaked key.

Permaura treats the LLM as untrusted and puts enforcement where it belongs: at the capability boundary, server-side, audited.

Non-negotiable principles

The model never receives raw secrets

No API keys in tool responses. No tokens in prompts, logs, or shell history. If a workflow can't be done without exposing a secret to the model, the default is unsupported.

Deny by default

If no policy explicitly allows an action, it is denied. Access is granted by scoped, time-boxed grants, never inherited from whatever credentials live on the machine.

Separate intent from execution

The agent proposes or requests; Permaura executes. The capability boundary, not the prompt, is the security boundary. MCP is transport, not trust.

Audit everything

Who requested what, which agent, which device, which policy decided, which secret was used, what external action happened, and what a human approved: all answerable later.

Threat model

A summary of what Permaura defends against and how. The throughline: limit what the surrounding system can do, rather than trusting the model to behave.

ThreatMitigation
Prompt injection convinces the agent to act maliciouslyThe agent can only call capabilities. Policy is evaluated server-side, independent of the prompt. Out-of-scope or over-limit actions are denied with a reason.
Secret leaks into transcript, logs, or contextSecrets are injected only at execution time, server-side, and never returned to the model. Tool calls store a request_hash and summary, not the raw body.
A long-lived credential is over-permissionedGrants are scoped to principal, resource, and action, expire automatically, and can be capped by max_calls and max_amount. Sessions revoke instantly.
An audit record is altered after the factAudit events are hash-chained (each row carries the previous row's hash) and ed25519-signed, so tampering breaks the chain and fails verification.
A high-value action runs without oversightCritical actions require human approval every time: Touch ID, a push to your phone, or a two-person rule. Approvals are single-use and time-boxed.
Hosted execution exposes a secret to the cloudLocal-only is the default. Remote execution is opt-in and honestly scoped: encrypted at rest, briefly decrypted in memory. BYOK and VPC workers are planned for Enterprise.

Cryptography

Envelope encryption

A random per-secret DEK (AES-256-GCM / ChaCha20-Poly1305) encrypts each secret, wrapped by a vault KEK.

Key derivation & KMS

The KEK is derived from a passphrase via Argon2id locally, or held in KMS for cloud. macOS vaults are backed by the Keychain and Secure Enclave.

Signed, chained audit

Audit events are ed25519-signed and hash-chained for tamper evidence. Verification is a first-class operation in the console.

Minimal data at rest

Secrets split across ciphertext, wrapped DEK, and metadata. Tool calls keep request_hash + summaries, not full request or response bodies.

Let your agents do real work, without the keys.

Install the local gateway, connect Claude Code or Codex, and approve your first capability in minutes. Deny by default, audit everything.