Surety
Draft

Safe agent runtime

Surety runs every agent inside a Docker sandbox by default. Host-mode execution requires an explicit --unsafe-host flag, emits an audit event, and is recorded in the evidence pack.

What's enforced

  • Workspace isolation — each attempt gets its own mounted workspace. Writes outside it fail.
  • Allowed paths — declared in surety.policy.yaml; out-of-scope edits are blocked.
  • Forbidden paths.git/**, .env, secrets/** by default plus repo overrides.
  • Symlink and path traversal guards — checked before and after the run.
  • HEAD and branch integrity — agents cannot rewrite history or hijack the working branch.
  • Secret mounting — only by explicit policy. No default shared credentials. Secret access is recorded as an event.
  • Egress policy — allowlist of approved destinations; unauthorized egress is blocked or reported per mode.

Adversarial regression tests

Every release runs the threat-model regression suite:

  • symlink escape
  • path traversal
  • hidden Unicode file names or code changes
  • fake test logs
  • stale base branch
  • malicious branch names
  • unauthorized git checkout / reset / clean / stash
  • token exfiltration attempt
  • prompt injection through repo docs
  • dependency confusion
  • generated vulnerable code
  • scanner suppression without waiver
  • artifact tampering

Each case has a regression test; evidence records the blocked action; policy mode controls block-versus-report.

Runtime metadata in evidence

Every evidence pack records:

  • runtime type (docker | host | kubernetes)
  • image name and digest
  • workspace ID
  • network policy
  • secret policy
  • allowed and forbidden paths
  • CPU, memory, time limits

If host mode is used, the evidence is flagged and the audit event includes who authorized it.