Skip to content

Security: stephenlthorn/AI-Team-Orchestrator

Security

docs/security.md

Security Boundaries and Safety Patterns

The public demo intentionally uses in-memory gateways, but the execution model is designed as if it were operating against live systems.

Capability-first execution

Every task declares the capabilities it requires. Agent sessions are created with an explicit capability set. The policy engine checks the requested task against the granted capabilities and fails closed.

Practical effect:

  • a read-only GitHub agent cannot open a PR
  • a briefing agent cannot place portfolio actions unless explicitly granted
  • a personal assistant agent can read wearable context without being able to modify unrelated systems

Session isolation

Each spawned agent has its own session id and history. Persistent memory is bounded to that session; one-shot specialists do not inherit unrelated context.

This matters because multi-agent systems become brittle when state leaks across workflows. A PR review agent should not inherit portfolio notes, and a trading workflow should not inherit inbox context.

Redaction before surfacing

Results are sanitized before they are logged or returned. The demo redactor handles several common secret patterns and is easy to extend.

The architectural point is more important than the regex list: logs should be treated as an exposure boundary.

Auditability

Every execution path records:

  • actor
  • task name
  • outcome
  • timestamp
  • redacted detail

This makes the system easier to debug and easier to trust.

Simulated writes in the public repo

The public repo deliberately stops short of touching real external systems. “Open PR” and “rebalance portfolio” are represented as simulated actions that still produce human-readable artifacts.

That is the right boundary for a portfolio project because it proves the integration pattern without requiring real credentials or risky side effects.

Additional hardening I would apply in production

  • connector-specific service accounts
  • expiring credentials and secret managers
  • approval gates for destructive operations
  • structured traces and replayable audit events
  • rate limiting and backoff on external systems
  • per-domain data retention rules

There aren't any published security advisories