Security
The technical companion to the security overview. Waveguide’s design goal: the dangerous failure modes of an autonomous agent must be impossible by architecture, not discouraged by prompt.
Isolation
Each tenant’s agent runs in a dedicated Firecracker micro-VM with its own persistent volume. VM networking is default-deny (nftables): the only egress is the proxy endpoint, authenticated per session. There is no shared compute between tenants and no route from the sandbox to the public internet.
Idle machines suspend after 5 minutes and are snapshot-and-destroyed after 24 hours — a cold tenant has no running attack surface at all.
Credential custody
- OAuth tokens are captured at connect time by the OAuth broker and immediately custodied into the vault.
- The vault uses envelope encryption: per-tenant AES-256-GCM data keys, wrapped by a master key held only by the control plane. Blobs are useless without both layers.
- The model never receives credentials. Requests leave the sandbox unauthenticated; the egress proxy resolves the tenant’s grant, decrypts the token, injects it, forwards the call, and logs the event. Token and prompt never coexist.
Capability tokens
Every session runs under a short-lived (15-minute) capability token declaring exactly which providers, scopes, and maximum risk tier that session may touch — scoped to what the triggering event needs (a digest session gets read-only grants; a message session gets more). Escalation beyond the grant is not self-serve: it requires an approval. The kill switch revokes the token instantly; in-flight calls fail closed.
Risk-tier enforcement
Actions are classified T0 (read) → T3 (irreversible/financial). The proxy — not the model, not the prompt — refuses T2/T3 calls that lack a signed, single-use approval token minted only when a human clicks Approve. Tokens are bound to a specific approval id and tenant, expire in 15 minutes, and are consumed atomically (double-click can’t double-run; a leaked token is useless after first use).
Quarantine of untrusted content
Email bodies, scraped pages, and webhook payloads are untrusted input — the classic prompt-injection vector. Before untrusted content can influence a T2/T3 action, it passes through a quarantine reader: a separate, tool-less model that extracts it into typed fields marked tainted. Tainted data flowing into a risky action forces an approval, and the approval card shows the taint warning. An injected email can, at absolute worst, cause a question to you — never an action.
Anomaly containment
Independent of approvals, the control plane watches for behavioral anomalies — send bursts, off-hours side effects, spend spikes — and auto-pauses the tenant: capability token revoked, machine suspended, session marked. Resuming requires explicit human acknowledgement.
Webhooks and inbound email
All inbound webhooks are signature-verified (Slack signing secret, Stripe HMAC, Telegram secret token, provider-specific schemes) and fail closed — unknown or unsigned senders are dropped silently. Inbound email requires DKIM verification and a match against your tenant’s dedicated address.
Dashboard auth
Sign-in is via single-use email links (15-minute expiry, hash-stored, consumed atomically). Sessions are tenant-scoped 30-day JWTs, and “Sign out everywhere” in Settings invalidates every outstanding session instantly. The programmatic access key is SHA-256 hash-stored, rotatable, and shown exactly once at creation.
Audit and data lifecycle
Every tool call, proxy request, approval, policy change, wake, and kill is written to an append-only audit log (archived to cold storage after 90 days). Export produces a complete bundle — sessions, audit, spend, connections metadata, workspace. Delete purges workspace, vault blobs, connections, approvals, policies, ledger, history, and destroys the machine. Both are self-serve.
Subprocessors
Cloudflare (control plane, storage), Fly.io (sandboxes), Anthropic (models), Stripe (billing), Nango (OAuth broker), Postmark (inbound email), Resend (outbound email), Slack/Telegram (channels you connect). Full roles in the Privacy Policy and DPA terms in the DPA.
Security questions or disclosures: hello@waveguide.adwave.com.