Trust model
TackOS is designed around a principle of least privilege. Agents get permission to act, not access to everything. Every layer adds a control point.
Current version is a local prototype
The security properties described here represent the intended production model. The current repository is a local prototype with mock data and simulated policy checks. No real credentials are handled. No real agents execute. Treat this as an architectural specification, not a security audit result.
Agents in the local prototype never receive API keys, tokens, or secrets. The current implementation uses mock data exclusively. In a production deployment, credentials would be held in a secure vault and accessed only through the policy gateway — never passed to agents directly.
Every agent action is evaluated against a policy rule set before execution is allowed. Policies define which tools are accessible at each autonomy level, which actions require human approval, and what the hard budget ceiling is. Policy changes require operator authority.
Actions classified as High or Critical risk do not execute autonomously. They enter an approval queue visible to authorized operators. Execution is blocked until a human explicitly approves or rejects. Rejected actions are logged with the reason and operator identity.
When projected spend crosses a configurable threshold (default: 85% of monthly cap), execution pauses and an escalation is raised. The kill switch is a hard stop — no agent can bypass it without operator override. Budget state is visible on the Cost Intelligence surface at all times.
All agent actions, approval decisions, policy evaluations, and cost events are recorded in the audit log. Entries are append-only. In the local prototype, the log is stored in memory and localStorage. In production, the log would be written to an append-only store with cryptographic integrity checks.
Plans run through a simulation step before real tool permissions are granted. The simulation validates the intended action sequence, estimates cost, and flags policy violations. If the simulation fails a policy check, the plan is revised before real execution begins.
The current prototype stores all state in the browser's localStorage. No data is sent to external servers. No analytics, telemetry, or tracking is included. What runs locally stays local.
Agents receive only the context they need for the current task. They do not have persistent access to company-wide state, credentials, or tool scopes beyond their department's defined boundaries. This limits the blast radius of any single agent acting outside its intended scope.
If you identify a security concern in the codebase or architecture, please open a GitHub issue with the label security or email the maintainers directly. Do not disclose vulnerabilities in public pull requests.