How we protect agents, agent state, and your users' data.

When an agent is published to the Prix registry, prix/api signs the container payload using Ed25519. The signature is appended as a footer to the .rush container file before it reaches object storage.

On install and on discovery, rush/cli calls VerifyContainerSignatureOptional against the embedded public key. A container with an invalid signature is silently dropped — it never runs.

// harness/pack/sign.go:10
func SignEd25519(container []byte, priv ed25519.PrivateKey, keyID string) ([]byte, error) {
    sig := ed25519.Sign(priv, unsigned)
    footer := Footer{Algorithm: SigEd25519, KeyID: keyID, Signature: sig}
    return AddFooter(unsigned, footer)
}

// harness/pack/sign.go:33
func VerifySignature(container []byte, pub ed25519.PublicKey) (*Footer, error) {
    if !ed25519.Verify(pub, signed, f.Signature) {
        return nil, fmt.Errorf("signature verification failed")
    }
    return f, nil
}

The embedded public key lives in harness/pack/keys.go:21 (HaloProxyPublicKeyPEM). Changing the manifest after signing invalidates the footer — the manifest is part of what gets signed.

Every Prix agent declares its permissions in a manifest before it is signed. Those declarations become the sandbox — not a policy engine, but a hard runtime boundary enforced beneath the model:

• ›Network filter — drops connections to any domain not in the manifest. fetch("api.evil.com") returns DNS failure, not a helpful error.
• ›Tool registry — only resolves tools the manifest declared. The LLM does not even see undeclared tools exist.
• ›Filesystem jail — maps the agent's view of disk to a sandbox directory. fs.readFile("/etc/passwd") resolves to a path that does not exist.
• ›Shell policy — returns operation not permitted if the agent tries to spawn a process without shell: true.

None of this is visible in the agent's code. The sandbox wraps it beneath the execution layer.

Prix uses a delegated token model. When a user grants an agent access to a resource, the agent receives a scoped token — not the user's credentials. The agent acts on behalf of the user within the bounds of that delegation.

This means an agent cannot escalate its own access. It cannot use its token to provision new credentials. It cannot outlast the delegation window. The user remains the principal; the agent is a deputy.

Long-running agents checkpoint their state between steps. Those checkpoints are signed, creating a verifiable chain of custody from initial invocation to final output. If a checkpoint is modified — by a compromised runtime, a malicious plugin, or a storage-layer attack — the chain breaks and the session is invalidated rather than silently corrupted.

Prix relies on a small set of third-party subprocessors — infrastructure, LLM providers, payments, and observability. Every subprocessor is bound by a written agreement with equivalent security and confidentiality protections.

We give existing customers at least 30 days' notice before adding or replacing a subprocessor that processes customer personal data.

If you discover a security vulnerability in Prix, please report it to [email protected]. We target a 24-hour acknowledgement for all reports.

Please include a description of the issue, steps to reproduce, and — if available — a proof of concept. We will work with you to understand and address the issue before any public disclosure.

We do not currently hold SOC 2, ISO 27001, or HIPAA certifications. Prix is not a HIPAA-covered Business Associate and we do not sign BAAs. If your use case requires these certifications, check back — we are building toward them.