Skip to content
Agirunner

Security Boundaries

Security in Agirunner is mostly about boundary discipline.

That means the first question is rarely “what crypto primitive do we use?” The first question is usually “which layer should own this decision, and what data should cross the boundary?”

Control Plane

Section titled “Control Plane”

The platform owns authentication, API scopes, workflow records, operator actions, and integration configuration.

It is the trust boundary for public product access. Browser sessions, API keys, route scopes, workflow state, and operator-visible records all live here.

Execution Plane

Section titled “Execution Plane”

The runtime executes claimed tasks in isolated environments with workspace and tool boundaries, then reports results back.

This is where execution-layer protections become real: filesystem containment, shell validation, credential scoping, secret redaction, resource limits, and bounded task execution.

Key Boundaries

Section titled “Key Boundaries”
  • operators and API clients talk to the platform
  • runtimes consume explicit execution contracts from the platform
  • task execution happens in isolated environments
  • secrets and credentials are resolved into the correct boundary instead of being baked into prompts or images
  • logs and artifacts are captured and presented deliberately, not inferred from model prose

Why This Matters

Section titled “Why This Matters”

When the boundaries are clear, the product gets safer and more understandable at the same time:

  • operators know which API or UI surface owns a decision
  • runtimes do not need to guess workflow meaning
  • secrets are injected deliberately instead of leaking across layers
  • evidence remains trustworthy because outputs are captured explicitly