Security model
agentrc decouples security intent from runtime implementation.
Boundary types
| Boundary | Declared as | Enforced by |
|---|---|---|
| Tool access | TOOL, POLICY |
runner/tool gateway |
| Filesystem access | MOUNT, POLICY |
runner/sandbox/filesystem layer |
| Network egress | URL, POLICY |
runner/network policy |
| Secrets | CRED, POLICY |
runner network-layer substitution |
| Rate limits | RATELIMIT |
runner/gateway |
| Resource limits | LIMIT |
runner/substrate |
| Audit | AUDIT |
runner/audit sink |
Policy profile
Cedar is the default policy profile because it is explicit, machine-evaluable, and well-suited to deny-by-default authorization.
permit(
principal == AgentRC::Agent::"code-reviewer",
action == AgentRC::Action::"tool.invoke",
resource == AgentRC::Tool::"file_read"
) when {
context.path like "/workspace/*"
};
Runner obligation
A runner claiming security-profile conformance must fail closed when it cannot understand, translate, or enforce a declared boundary.
Important: agentrc declares the security contract. It does not claim that every runner can enforce every boundary. That is why runner conformance is profile-based.