Use Case

Compliance & Security

Security that satisfies your compliance team. RBAC, hash-chained audit logs, encrypted exports, and classification markings — designed for defense, critical infrastructure, and regulated industries.

Access control docs
NIST 800-53FedRAMPITARSOC 2GDPRISO 27001

Security at every layer

graph LR AUTH["Authentication<br/><small>Principal identity</small>"] --> RBAC["RBAC<br/><small>Roles & permissions</small>"] RBAC --> POLICY["Policy Engine<br/><small>Clamp / enforce / veto</small>"] POLICY --> AUDIT["Audit Trail<br/><small>Hash-chained logs</small>"] AUDIT --> EXPORT["Export Controls<br/><small>Encrypt + sign + classify</small>"] EXPORT --> CLASS["Classification<br/><small>UNCLASS → TOP SECRET</small>"]

Control who sees what

Every action is performed by an identified principal — desktop user, LLM agent, or named service account — with a bitflag permission set and entity scope.

FeatureWhat it does
Role-Based Access4 predefined roles (Admin, Operator, Viewer, ReadOnly) plus custom roles with permission inheritance
Entity ScopingRestrict principals to all entities, specific regions, or named groups
Agent PermissionsLLM agents inherit the RBAC model — no special bypass, same policy engine

Prove who did what and when

Every authentication attempt, command execution, policy decision, and data access is recorded with timestamps and chained SHA-256 hashes. Tampering with any record breaks the hash chain.

FeatureWhat it does
Hash-Chained LogsEach audit record includes SHA-256 of the previous record — tamper detection is built into the data structure
Command LifecycleFull tracking: Pending → Acked → Completed/Failed/Vetoed with policy engine rationale
AI Action LoggingEvery LLM agent tool call captured with arguments, results, and the pattern that triggered it

Protect data at rest and in transit

Credentials never touch disk unencrypted. All transport uses TLS 1.3 with mutual TLS support. Digital signatures verify data integrity.

FeatureWhat it does
Encrypted Secret Storeage encryption with pluggable backends: memory (dev), file (single-node), env (containers)
Digital SignaturesEd25519 EdDSA signatures on audit records and exports for non-repudiation
TLS 1.3 + mTLSQUIC transport uses TLS 1.3 with 0-RTT resumption. Mutual TLS for service-to-service auth.

Satisfy classification requirements

Exports carry classification markings, AES-256-GCM encryption, RSA-SHA256 signatures, and data watermarking for leak tracing.

FeatureWhat it does
Classification LevelsUNCLASSIFIED, CONFIDENTIAL, SECRET, TOP SECRET — embedded in every exported file
Data WatermarkingInvisible watermarks in exports for leak tracing and attribution
Retention PoliciesPer-recipient access control, delivery retry, and automatic purge after configurable retention period

Ready to see the full picture?

One docker pull. Full stack in minutes. No build tools required.

Get Started Request a Demo