Security

Our Security Promise

Security is at the core of Katachi. We employ a Zero Trust architecture where your identity is bound to your physical hardware, ensuring that your credentials cannot be stolen or reused on other devices.

Zero Trust Architecture

• Hardware-Bound Credentials: Access tokens are encrypted using a key derived from your device's unique hardware fingerprint.
• Device Fingerprinting: Every agent registration is cryptographically tied to a specific machine. Moving the agent to another device invalidates the credentials.
• Secure Encrypted Tunnels: All remote access is tunneled through a secure, encrypted network. No ports are ever opened on your local machine.
• Allowlist-Based Execution: A security layer intercepts all commands, only allowing a strict allowlist of safe operations.

Platform Isolation

We utilize OS-native mechanisms to isolate the agent's execution environment:

• Linux: Uses namespace isolation to separate the process, filesystem, and network.
• macOS: Uses native sandboxing with strict profiles to limit file and resource access.
• Windows: Relies on the command allowlist and filesystem blocklists to prevent unauthorized access.

Data Protection

• Local-First Code: Your source code remains on your machine. We only process it ephemerally for LLM context.
• Encrypted Storage: Credentials are stored locally using AES-256-GCM encryption.
• Audit Logging: A comprehensive audit log is maintained locally, recording every file access and command execution.
• Filesystem Controls: Strict blocklists prevent the agent from reading sensitive files (environment files, SSH keys, cloud credentials).

Infrastructure Security

• Identity Management: Enterprise-grade identity management for user authentication.
• Secure Communication: All traffic is encrypted via TLS 1.3.

Vulnerability Reporting

If you discover a security vulnerability, please report it to: security@katachi.live

We take all reports seriously and will respond within 24 hours.