Security Architecture Overview
Understand how MCP enforces local-first execution, autonomy budgets, approvals, and comprehensive audit logs across every capability.
Trust boundaries
Tool calls execute inside the orchestrator’s sandbox with outbound network access disabled unless you explicitly allow it.
- Per-tool allowlists and risk tiers determine whether a step can auto-run or must request approval.
- Autonomy budgets cap run length, cost, and number of risky operations.
- Rate limits prevent abuse even on local deployments.
Auditability
Every prompt, tool invocation, and result is appended to the episodic log with tamper-evident hashing planned for upcoming releases.
- Logs include policy decisions and approval actor IDs for compliance traceability.
- Export signed evidence packages to share with security teams or auditors.
- Upcoming roadmap includes containerized tool sandboxes and hardware attestation hooks.
Data handling
Model weights, intermediate data, and generated artifacts stay on the machine by default; cloud relays require an explicit opt-in per provider.
- Use redaction policies to scrub secrets before they enter vector or knowledge graph stores.
- Outbound communications tools require domain allowlists and per-message approvals.
- Security posture is summarized on `/security` for buyers and reviewers.