The Trust Stack

Six layers of security from tool verification to hardware isolation. Every layer is independently auditable, formally specified, and enforced at runtime.

01

SchemaPin

MCP tool verification anchored to DNS. Servers publish cryptographic hashes of their tool schemas at a well-known endpoint. Agents verify tool definitions haven't been tampered with before every invocation — preventing tool poisoning, schema injection, and silent parameter mutation. 

# Discovery: GET https://api.example.com/.well-known/schemapin.json
{
  "schema_version": "0.2.0",
  "tool_pins": {
    "get_weather": {
      "hash": "sha256:a1b2c3d4e5f6...89ab",
      "description_hash": "sha256:f6e5d4c3b2a1...0987"
    }
  },
  "signing_keys": [{
    "kid": "key-2025-03",
    "kty": "EC",
    "crv": "P-256",
    "x": "f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
    "y": "x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0"
  }]
}
02

AgentPin

ES256 cryptographic identity for every agent. Each agent holds a domain-anchored key pair verified through DNS. Credentials are issued as compact JWTs — no central authority, no shared secrets, no trust-on-first-use. Identity is provable and revocable. 

# Generate an agent identity
$ symbi keygen --domain agents.example.com --agent-id planner-01

# Output: ES256 JWT credential
{
  "alg": "ES256",
  "kid": "agents.example.com#planner-01"
}
{
  "iss": "agents.example.com",
  "sub": "planner-01",
  "iat": 1711036800,
  "capabilities": ["plan", "delegate", "read:tools"],
  "sandbox_tier": 2
}
03

ToolClad

Declarative tool interface contracts that replace wrapper scripts and ad-hoc MCP schemas. Each .clad.toml manifest defines typed parameters, command construction, output parsing, and policy metadata. The LLM fills parameters — the executor validates and constructs commands. The dangerous action cannot be expressed because the interface does not permit it. 

# tools/nmap_scan.clad.toml
[tool]
name = "nmap_scan"
risk_tier = "low"
timeout_seconds = 300

[tool.cedar]
resource = "PenTest::ScanTarget"
action = "execute_tool"

[args.target]
type = "scope_target"    # validated IP/CIDR/hostname
required = true

[args.scan_type]
type = "enum"
allowed = ["ping", "service", "syn"]
04

Cedar Policy Engine

Formal authorization with Cedar — the same policy language used by AWS Verified Permissions. Every agent action is evaluated against a policy set before execution. Default-deny. Policies are version-controlled, auditable, and evaluated in microseconds. 

// Allow planners to invoke approved tools
permit(
  principal in Agent::"planner",
  action == Action::"invoke_tool",
  resource in ToolSet::"approved"
) when {
  principal.sandbox_tier >= 2
};

// Deny all agents from executing shell commands
forbid(
  principal,
  action == Action::"invoke_tool",
  resource == Tool::"shell_exec"
);
05

CommunicationPolicyGate

Inter-agent governance that controls who can talk to whom and what they can ask for. Prevents privilege escalation through delegation chains, blocks unauthorized lateral movement between agents, and enforces communication boundaries at the message level. 

# symbiont.toml — communication policy rules
[[communication_policy.rules]]
from = "worker-*"
to   = "planner"
action = "delegate"
effect = "deny"
reason = "Workers cannot delegate tasks to the planner"

[[communication_policy.rules]]
from = "planner"
to   = "worker-*"
action = "delegate"
effect = "allow"
max_depth = 2
06

Multi-Tier Sandboxing

Three isolation levels matched to risk. Tier 1: Docker containers for standard workloads. Tier 2: gVisor for system-call filtering with a user-space kernel. Tier 3: Firecracker microVMs for full hardware-level isolation. Each agent's tier is declared in policy and enforced at spawn. 

# symbiont.toml — sandbox configuration
[sandbox]
default_tier = 2

[sandbox.tier1]
runtime = "docker"
memory_limit = "512MB"
network = "bridge"

[sandbox.tier2]
runtime = "gvisor"
memory_limit = "1GB"
network = "none"
syscall_filter = true

[sandbox.tier3]
runtime = "firecracker"
memory_limit = "2GB"
network = "none"
vcpu_count = 2
kernel = "vmlinux-5.10"
07

Audit Trail

Every agent action produces a tamper-evident log entry with cryptographic integrity. Entries are hash-chained — modifying any record breaks the chain. Designed for compliance teams who need provable records of what every agent did, when, and under which policy. 

{
  "event_id": "evt_8f3a1b2c",
  "timestamp": "2025-03-19T14:32:01.847Z",
  "agent": "planner-01",
  "action": "invoke_tool",
  "resource": "get_weather",
  "decision": "allow",
  "policy": "policy://approved-tools/v3",
  "sandbox_tier": 2,
  "duration_ms": 142,
  "prev_hash": "sha256:e3b0c44298fc1c14...",
  "entry_hash": "sha256:9f86d081884c7d65..."
}
Read the full security model