Built to fail closed.
ProtocolOps products are designed for controlled execution, auditability, and predictable behavior. When uncertainty exists, capability tightens. Nothing “just happens.”
Core principles
- Default deny by design
- Explicit authority for sensitive actions
- Fail-closed safety under uncertainty
- Clear operator control and visibility
What we optimize for
- Auditability over magic
- Integrity over convenience
- Deterministic limits and timeouts
- Minimal surface area and clear contracts
Aegis Arbiter security model
Governed execution
Tool access is mediated through a single gateway with enforcement, logging, and denial paths.
Approvals
Risky operations can require explicit approval. Proposal and execution are separable.
Killability
Runs can be stopped. When halted, further actions are denied and recorded.
Logging and evidence
Runs produce structured evidence bundles and audit logs. This is designed to support review, accountability, and reconstruction after the fact.
- Append-only audit stream (tamper-evident chain)
- Evidence bundle per run (evidence.json + artifacts)
- Denials and blocks are recorded as first-class outcomes
Data handling
- Local-first operation is the default posture.
- Logs should avoid secrets and sensitive payloads where possible.
- Retention and storage location are operator-controlled in deployment.
If you need stricter guarantees for a specific deployment, we can document a hardening profile.
Responsible disclosure
If you believe you’ve found a security issue, email security@protocolops.com with details and reproduction steps. We’ll respond as quickly as possible.