Security & Isolation

Security Under the Hood

Executing agentic operations requires interacting with codebases, databases, and third-party APIs. Niyatna OS structures every agent workspace sandbox with multi-layered containment.

1. Sandbox Containment

• Isolated Containers: Agents run inside ephemeral, hardware-isolated containers (Niyatna Agent). They cannot escape the container host or access sibling workspaces.
• Network Restrictions: Outbound internet access is disabled by default. If a task requires fetching external packages, the agent operates in an approval-restricted network gateway.
• Directory Locks: File access is restricted strictly to the workspace assigned to the task. Agents cannot traverse directories outside their root project path.

2. Human-in-the-Loop Validation

• Permission Gates: Niyatna OS configures agent runtimes with specific policy templates. High-risk actions (such as deploying code, database writes, or running external shell scripts) are staged and require human approval.
• Verification Layer: Every output undergoes validation check gates under the Proof of Intent standard. We review diffs, screenshots, terminal scrollbacks, and source citations before accepting a task as complete.

3. Credentials & API Governance

• No Plaintext Storage: API keys and service accounts are managed via secure secrets engines. They are never written to disk, committed to source repositories, or logged in transcripts.
• Least-Privilege Roles: When granting agents access to cloud providers (e.g. AWS, GCP) or SaaS tools (e.g. GitHub, Slack), LocalRoute configures IAM roles and keys with the narrowest scope possible.

Vulnerability Reporting

If you find a security vulnerability or have concerns about how an integration is structured, please write to us directly at security@niyatna.xyz so we can address it immediately.