Layered Defense Overview
The security model is distributed across several specialized crates and subsystems that cooperate to validate every action an agent proposes.| Layer | Component | Responsibility |
|---|---|---|
| Authorization | palyra-policy | Deny-by-default access control using the Cedar policy engine. |
| Safety | palyra-safety | Real-time inspection for prompt injection and secret leaks. |
| Secrets | palyra-vault | Secure storage and envelope encryption for sensitive credentials. |
| Identity | palyra-identity | mTLS-based device pairing and service authentication. |
| Network | palyra-egress-proxy | Fine-grained outbound traffic control and DNS rebinding protection. |
System Security Flow
The following diagram illustrates how a tool execution request moves through the security layers within thepalyra-daemon.
Diagram: Tool Execution Security Pipeline
Sources: crates/palyra-policy/src/lib.rs#138-144, crates/palyra-safety/src/lib.rs#1-9, crates/palyra-daemon/src/application/tool_runtime/workspace_file.rs#31-33
Cedar Policy Engine and Access Control
The authorization core is built on Amazon Cedar, a logic-based policy language. Every request (Principal, Action, Resource) is denied by default. The engine evaluates aPolicyRequest against an embedded baseline policy set.
- Posture Management: Tools can be set to
AlwaysAllow,AskEachTime(requiring human approval), orDisabled. - Sensitive Actions: Certain operations (e.g.,
memory.purge) are hardcoded as sensitive and require explicit approval flags in thePolicyEvaluationConfig.
Safety Boundary and Content Inspection
Thepalyra-safety crate provides a runtime boundary that inspects text at three phases: PrePrompt, PreExecution, and Export.
- Injection Detection: Uses
PROMPT_INJECTION_RULESto detect attempts to override system instructions or exfiltrate data. - Secret Redaction: Automatically identifies and masks credentials (e.g., API keys, Bearer tokens) using
redact_text_for_exportbefore they are returned to the LLM or shown in the UI. - Trust Labels: Content is tagged with
TrustLabel(e.g.,System,User,UnprivilegedTool) to determine which safety rules apply.
Vault, Secrets, and Identity
Palyra ensures that agents never handle raw credentials. Thepalyra-vault crate manages secrets using envelope encryption, often backed by OS-native stores (like Keychain or Secret Service).
- Identity: The
palyra-identitycrate manages a private Device CA. Communication between the CLI, Daemon, and Workers is secured via mTLS. - Secret Resolution: Tools receive
vault_refidentifiers. TheSecretResolveronly expands these into real values at the moment of execution, keeping them out of the agent’s context and theJournalStore.
Egress Proxy and Network Controls
Outbound network access is strictly controlled by thepalyra-egress-proxy. This is critical for tools like palyra.http.fetch and the browser automation subsystem.
- DNS Pinning: Prevents DNS rebinding attacks by validating IP addresses before connection.
- Private IP Blocking: By default, agents are blocked from accessing local network resources (192.168.x.x, 10.x.x.x) unless explicitly allowlisted.
- Credential Injection: The proxy can inject credentials directly from the Vault into outgoing requests, ensuring the agent never sees the token.
Filesystem Security and Scoping
Filesystem tools (palyra.fs.*) implement strict path normalization and containment checks. The workspace_scope module ensures that agents are confined to specific project roots.
Diagram: Path Resolution and Containment
Sources: crates/palyra-daemon/src/application/tool_runtime/workspace_file.rs#3-9, crates/palyra-daemon/src/application/tool_runtime/os_file.rs#7-10, crates/palyra-daemon/src/application/tool_runtime/workspace_scope.rs#10-16