Security
Security Architecture
Security is not a feature in OPIDE — it is the architecture. Ten layers built into the core, not bolted on as optional plugins.
The 10 layers#
| Layer | What it does |
|---|---|
| 1. Rust type system | No null pointers, no data races, no use-after-free. Compile-time memory safety guarantees across the entire engine. |
| 2. Memory encryption | PII detected via 20 regex patterns plus LLM classification. Three encryption tiers: Cleartext, Sensitive (AES-256-GCM with searchable summary), Confidential (fully encrypted, vector-only search). |
| 3. Sandbox enforcement | All agent file operations go through the QuickJS sandbox HostApi. No raw filesystem access from the agent layer. |
| 4. Tool circuit breaker | Blocks tools after 5 consecutive failures. Prevents runaway loops and resource exhaustion. |
| 5. MCP isolation | External MCP servers run in separate processes. Tool results are schema-validated before injection into agent context. |
| 6. Keychain integration | API keys stored in the OS keychain: macOS Keychain, Linux secret-service, Windows Credential Manager. Never written to disk in plaintext. |
| 7. Token budget enforcement | Context window is never exceeded. Budget-aware assembly at every stage prevents context overflow attacks. |
| 8. GDPR compliance | Automatic PII tier escalation, key rotation with re-encryption, memory purge on request. Data residency stays local. |
| 9. Audit trail | Every operation logged: agent actions, tool calls, memory access, security decisions. Full queryable history. |
| 10. SQLite encryption | The database is encrypted at rest with anti-forensic measures: file size masking and metadata zeroing. |
Memory encryption tiers#
Engram classifies every piece of stored memory into one of three encryption tiers based on PII detection and content sensitivity:
- ◆Cleartext — non-sensitive content stored normally. Fully searchable.
- ◆Sensitive — detected PII encrypted with AES-256-GCM. A searchable plaintext summary is stored separately so retrieval still works without decrypting.
- ◆Confidential — fully encrypted. Only vector-based semantic search works. The content is never exposed in plaintext outside the decryption path.
PII detection uses 20 regex patterns covering email addresses, phone numbers, credit card numbers, social security numbers, and other common sensitive patterns. Patterns that are ambiguous escalate to LLM classification before tier assignment.
The QuickJS sandbox#
The agent executes operations via a QuickJS (rquickjs) sandbox with a controlled HostApi. The sandbox is the only path to the filesystem, terminal, and git. Direct access does not exist.
The ctx object exposes exactly these operations:
// File operations
ctx.file_read(path)
ctx.file_write(path, content)
ctx.dir_list(path)
// Shell
ctx.exec(command)
// Git
ctx.git_status()
ctx.git_diff()
ctx.git_log()
ctx.git_branches()
// Editor
ctx.get_diagnostics()
ctx.get_selection()
ctx.get_open_files()
// Search
ctx.search(query)No raw filesystem access beyond declared paths. No network access. No child process spawning outside ctx.exec. The host controls exactly what the agent can do at the Rust level — the sandbox cannot be escaped from JavaScript.
Audit trail#
Every operation OPIDE performs is logged to a queryable audit trail stored in the encrypted SQLite database. The trail records:
- ◆Every tool call with its parameters and result
- ◆Every memory read and write operation
- ◆Every agent decision and the reasoning behind it
- ◆Every security event — failed tool calls, PII detections, tier escalations
- ◆Timestamps and session identifiers for every entry
The audit trail is accessible from Settings. You can query it, export it, and use it to understand exactly what the agent did in any session.