Security Model
Akshi’s security model is defense in depth: multiple independent layers, each designed to contain failures in the layers above it. No single layer is sufficient on its own.
Security layers
| Layer | What it does | Where it lives |
|---|---|---|
| WASM Sandbox | Memory isolation, no filesystem/network/syscall access | Wasmtime runtime |
| Secrets Broker | Credential isolation, allowlist enforcement | Sandbox boundary |
| Policy Engine | Approval gates, risk scoring, spend limits | Pre-execution checks |
| Identity | Ed25519 signing, DID-based peer trust | Sync and mesh transport |
Execution tiers
| Tier | Isolation mechanism | Status |
|---|---|---|
| Tier 1 | Pure WASM (Wasmtime) | Shipped |
| Tier 2 | Native process + OS-level sandbox (seccomp, landlock) | Planned |
| Tier 3 | Native process + hardware isolation (VMs, enclaves) | Planned |
Tier 1 is the only tier available today. It provides strong isolation for agents compiled to WASM. Tier 2 and 3 will extend support to native binaries that cannot be compiled to WASM.
Capability scan
On startup, the runtime scans the host platform for available sandbox capabilities (Wasmtime version, OS-level sandbox support, hardware features). This information is logged and available via the dashboard, so operators know what isolation mechanisms are active.
Governance risk tiers
Akshi classifies agent actions into risk tiers at the field level:
- Low risk: read-only operations, local inference, journal reads.
- Medium risk: outbound HTTP, A2A messaging, MCP tool calls.
- High risk: financial actions, communications, system modifications.
Risk classification drives approval gate behavior and risk scoring. See Approval Gates for details on how risk scores are computed.
Kill switches
Two emergency stops are available:
- Spend kill switch (
AKSHI_SPEND_KILL_SWITCH=1): halts all paid actions. - Supervisor shutdown:
akshi stopterminates all agents and the runtime.
Both take effect immediately without waiting for in-flight operations to complete.
Formal verification
TLA+ specifications are planned for critical subsystems (broker allowlist evaluation, sync envelope verification, approval gate state machine). These are not yet shipped.
CVE response
Wasmtime is a critical dependency. The project targets a 24-48 hour patch SLA for critical Wasmtime CVEs. The dependency is pinned to a specific version and updated deliberately, not automatically.
Threat model summary
The security model assumes agents are untrusted by default:
- Agents cannot access the host filesystem, network, or other agents’ memory.
- All external access goes through capability-gated host imports.
- Credentials never enter the sandbox.
- High-risk actions require human approval.
- Spend is capped and tracked per agent.
The model does not protect against side-channel attacks on WASM execution or timing attacks on the inference router. These are accepted risks in the current Tier 1 design.