Security Gate
SecurityMandatory security checkpoint for all agent operations. Enforces OPA policies, verifies agent identity via mTLS, logs all operations to immutable audit log, and applies guardrails before any agent executes. ALL agent spawning MUST route through this gate.
Core Principle
DENY BY DEFAULT. ALLOW ONLY WHEN ALL CHECKS PASS.
Every agent spawn, tool execution, and resource access must pass through this gate. It prevents unauthorized agent spawning, policy violations, lateral movement from compromised agents, and unaudited operations.
Mandatory Checks (In Order)
- Request Validation: Valid JSON format, known requesting agent, target agent exists
- Identity Verification (mTLS): Certificate present, valid, chain verified, CN matches claimed identity
- OPA Policy Check: Operation allowed by policy, resource access permitted, rate limits respected
- Audit Logging: All decisions logged to immutable audit trail
Decision Outcomes
- ALLOW + SPAWN: All checks pass, agent spawned with audit trail
- DENY + BLOCK: Policy violation, operation blocked and logged
- ESCALATE + ALERT: Suspicious pattern detected, security team notified