Security model
Threat model for action-boundary proof.
Imladri is built for agents that can create real side effects. The security boundary is strongest where dangerous capabilities are routed through wrapped tools, strict preflight, governed data actions, sandboxed commands, or protected compute lanes.
What Imladri protects
| Wrapped agent actions | Strict preflight can block prohibited actions before the tool body runs. |
| Governed data writes | Database sandbox and governed DB actions can prove branch-local writes and source-untouched status. |
| Protected compute runs | Provider training lanes can carry attestation, runtime state, cleanup, and zeroization evidence when configured. |
| Proof integrity | Exports carry digest, hash-chain, redaction context, and signature metadata where configured. |
| Delegated tool authority | MCP/tool hosts can use scoped, short-lived authority instead of broad long-lived keys. |
What it does not claim
| Unrouted side effects | Imladri cannot pre-execution block a function that bypasses the SDK, adapter, strict preflight, sandbox, or governed DB route. |
| Prompt-only safety | Prompt detectors are advisory; enforcement happens at the action boundary. |
| Raw customer secrets | Provider keys and SDK keys must stay server-side or in customer secret managers. Public proof shares should never expose them. |
| Universal framework coverage | Certified lanes prove specific supported surfaces, not every possible plugin, hosted account, or custom wrapper. |
| External compliance certification | Security architecture and proof artifacts support review, but formal SOC 2 or external audit requires a separate engagement. |
Operational handling
| Keys | Rotate SDK keys in Profile, store them in server-side secrets, revoke old keys, and never paste provider keys into public artifacts. |
| Proof shares | Use auditor-redacted shares for buyers; keep full proof exports inside the approved workspace. |
| Verifier | Use `/verify-proof` or `imladri proof verify` to recompute digest and hash-chain state before sending evidence externally. |
| Detectors | Treat prompt/data-leak detector findings as signals that should either be fixed, scoped, or explicitly accepted before proof sharing. |
| Cleanup | Destroy DB branches, stop/delete provider pods, and check Profile activity before closing the workflow. |