TRUST

We publish our security
posture.

Three audits on ourselves. Closed items cite commit SHA. Open items cite the design doc. No marketing language, no hidden methodology.

Last refreshed: 2026-06-04 · HEAD at audit: 978b310

The three audits we ran on ourselves

Performed 2026-06-04 against HEAD 978b310. Each is a full markdown document in our repo. Read them in full on GitHub.

Audit

Industry Standards Audit

14 frameworks: NIST 800-63B, OWASP ASVS v5.0, OWASP LLM Top 10 2025, GDPR, HIPAA, PCI DSS, SOC 2 TSC, ISO 27001, ISO 23894, NIST AI RMF, OpenTelemetry GenAI semconv, PostgreSQL RLS, RFC 7636 PKCE, RFC 6749 OAuth.

docs/research/INDUSTRY_STANDARDS_AUDIT_2026_06_04.md
Read on GitHub →
Audit

AI Agent Peer Comparison

Eight peer platforms scored against eight production-readiness axes derived from our Employee North Star (per-employee tool scoping, audit logging, eval coverage, multi-tenancy, observability, HITL, memory, grounding).

docs/research/AI_AGENT_PEER_COMPARISON_2026_06_04.md
Read on GitHub →
Audit

Competitive Audit

Six Day-1 verticals, three to five competitors each. Wedge analysis, one-week shortcoming + one trap per vertical. Cross-vertical pattern at the end.

docs/research/COMPETITIVE_AUDIT_2026_06_04.md
Read on GitHub →
Closed

What is wired

Each row links to the commit. The commit message carries the file:line evidence.

c66eeccP0a-MCP-SCOPING

Per-employee MCP tool scoping

MCPToolRegistry.call_tool enforces employee_ids allowlist + 13-tool backfill for the 4 substantive executing employees. Closes the LLM06 (excessive agency) lane.

e470de8P0c-BOUNDARY

BoundarySanitizer wired at tool-result boundaries

Three handoff sites now sanitize untrusted tool output before it crosses back to the planner. Closes the LLM01 (indirect prompt injection) lane that was DEAD pre-commit.

38a6734P0d-WATCHER

AgentWatcher.on_tool_invocation gates

Six high-risk bare call sites now route through the watcher (rate, scope, kill-switch). Closes the unobserved-tool-call lane.

d132e09P0-JWT-MOUNT

JWT acting_employee_id claim — verifier + issuer

JWT now carries the acting employee identity end-to-end. Verifier + issuer wired together; first-party caller migration tracked separately.

f8d2f7aP0-PKCE-OAUTH

PKCE (RFC 7636 S256) on inbound OAuth login

Google + Microsoft login now use PKCE with S256. Slack remains an explicit opt-out with a warning surface. Closes the OAuth-code-interception lane.

4271d42P0-MS-CALLBACK

Outlook OAuth callback path corrected

Renamed callback to /microsoft/outlook/callback. Microsoft SSO login was silently broken since a7bf3be; fix-forward only, no rollback required.

70a5b86P0-WaveB-KDF

NIST 800-63B password KDF + orchestrator integration

Bcrypt with sha256 pre-hash (dodges the 72-byte truncation collision). PBKDF2 legacy hashes recognized + transparently rehashed on login. Rate limits on /login, /forgot-password, /reset-password, /verify-email.

82ecb79P1-AUTH-AUDIT

Auth event frozen taxonomy + ComplianceEngine sink

emit_auth_event helper plus a 15-entry frozen AUTH_EVENT_TYPES taxonomy. Auth router emits at login / logout / reset / verify / impersonation. SOC 2 Type II evidence shape.

5dc369aP1-EMPLOYEE-AUDIT

Employee event frozen taxonomy + emit helper

EMPLOYEE_EVENT_TYPES 10-event frozen taxonomy plus emit_employee_event helper. Pairs with the auth taxonomy as the second half of the audit-evidence surface.

3d03093P1-GDPR-DSR

GDPR Art 20 portability + Art 17 erasure endpoints

Data Subject Request endpoints shipped. Portability dumps the user record set; erasure tombstones identifiers and redacts audit references.

52720dcP1-OTEL-SEMCONV

OpenTelemetry GenAI semconv dual-emit

otel_tracing.trace_llm_call now emits GenAI semantic conventions alongside our internal spans. Vendor-neutral OTel exporters can consume our traces unchanged.

Open

What is open

Honest residuals. Each item carries a remediation status, not a target date we cannot commit to.

HIBP breached-password screening

NIST 800-63B Rev. 4 requires breached-password screening on register + reset. Currently zero. Half-day effort (k-anonymity API); dispatched as P2-HIBP.

Status
Queued — P2 lane in flight

12-month audit-log retention

ComplianceEngine is in-memory at _MAX_AUDIT_ENTRIES = 50,000. Production traffic evicts before any SOC 2 Type II observation window completes. DB-backed sink design landed.

Status
Design doc shipped (commit 2a5fba1) — implementation queued post-launch, pre-Type-II observation window
docs/design/AUDIT_SINK_DESIGN_2026_06_04.md

HITL interrupt primitive

Cross-platform HITL exists at our planner boundary, but the LangGraph-style interrupt + checkpointer primitive is not yet a first-class API for employee builders. Dispatched as P2-HITL-INTERRUPT + P2-EMPLOYEE-REFUSE.

Status
In flight — landing this week

argon2id memory-hard KDF migration

Bcrypt with sha256 pre-hash is a defensible deviation from NIST 800-63B § 5.1.1.2 SHOULD-recommended memory-hard KDFs. argon2id migration shape is identical to the PBKDF2 to bcrypt transparent-rehash already shipped.

Status
Post-launch — ~1 day effort

Formal SOC 2 Type II report

Type II requires 6 to 12 months of OBSERVED control operation. Architecture is designed against the Trust Service Criteria; the audit sink + frozen taxonomies are the evidence shape. Observation window begins post-launch.

Status
Pursuing — observation window scheduled post-launch

Formal ISO 27001 certification

Information security management system controls map to our existing security layer. External certification body engagement queued post-launch.

Status
Working towards
Methodology

How these audits were produced

Every claim in the three linked audit documents is grounded at file:line in our repository. External standards claims cite the canonical URL on the standards body's domain. Where a source could not be fetched, the audit explicitly says so rather than fabricating depth.

Each commit SHA referenced on this page is clickable to the commit on GitHub. The commit message carries the file:line evidence for the change. The shipped closures section is not a marketing list — it is the actual commit log.

The audits were produced under the same discipline we apply to all engineering work: VERIFY (check before asserting), CITE (file:line or canonical URL), ATTACK (steelman the opposite frame before recommending), CONFIDENCE (state uncertainty bands explicitly), SCOPE (no bonus tangents). The competitive audit redacts page-level competitor claims behind a GitHub link so the document is reachable for due diligence without being a social-media artifact.

Audit date: 2026-06-04 · HEAD at audit: 978b310 · This page tracks master.

Security questionnaire or review call

Request our security questionnaire, penetration test summary, or schedule a review call with the team.

[email protected]

Responsible disclosure

Found a vulnerability? Email us. We do not currently run a paid bounty program; we acknowledge disclosure with a credit on this page (opt-in) once remediated.

Report a vulnerability
For data-handling details, see our Privacy Policy and Terms.