Beige is designed with the assumption that an agent might go rogue. Every layer is built to contain damage even in the worst case.
Defense in Depth
What an Agent CAN Do
What an Agent CANNOT Do
Threat Model
Threat: Agent tries to read API keys
Threat: Agent spoofs identity to use another agent’s tools
Each agent has its own Unix socket file. The gateway creates one socket per agent and mounts it into the corresponding container. The gateway knows which agent sent a request by which socket server received it — not by any field in the request payload.Threat: Agent modifies tool launcher to skip gateway
Threat: Agent exfiltrates data via network
Current stance: Network is open. Allexec curl/exec wgetcalls are logged as core tool calls. Future phases will add network-level controls.
Threat: Agent escapes Docker container
This is a Docker-level concern, not Beige-specific. Mitigations:- Use rootless Docker or Podman (future)
- Don’t run containers as root (future hardening)
- Keep Docker and kernel updated
- Don’t mount the Docker socket into containers (enforced)
Secrets Flow
Secrets exist only in the gateway process memory. They are resolved from environment variables at startup, used to configure the pi SDK and plugin channels, and never passed to any sandbox container.
Audit Log
Every tool invocation produces a JSONL audit entry at~/.beige/logs/audit.jsonl.
