Liria

Security & trust

The boundary
is the design.

Liria’s security posture is not a feature bolted on after the fact — it is how the runtime works. Isolation, authorization, cost, and forensics are mechanical constraints in the host. This page is honest about what ships in v0.1.0 and what is still roadmap.

See also The four laws of the host → /product

01

The trust boundary

Four mechanisms govern what an agent can do and prove what it did. Each is enforced by the runtime, not by convention.

Isolation

The WASM sandbox is the boundary

Each agent is a wasmtime instance — shared-nothing, no global state. It cannot read another agent’s memory or reach a host capability it was not granted. The sandbox is the mechanism, not a setting you can forget to enable.

wasmtime

Authorization

Capability-scoped host functions

Network, disk, and spawn are host functions gated by policy interceptors — a firewall in front of every effect an agent can have on the world. An agent reaches exactly what its policy allows and nothing beyond it.

policy interceptor

Cost

Fuel metering bounds execution

Wasmtime fuel and memory metering cap an agent at the instruction level. When the budget hits zero the agent traps. A runaway loop or a compromised plan cannot consume unbounded resources — the ceiling is mechanical.

fuel budget

Forensics

Every turn is a recorded fact

Turn records capture input, output, and a state hash. replay verify lets a third party prove a run reproduces byte-identically. You audit by re-running, not by trusting a log narrator.

turn record
02

IPC token authorization

The daemon exposes a token-gated Unix-socket IPC. Liveness probes stay open so the control plane can always tell a live agent from a dead one; everything else requires the token.

Surface Behavior
LIRIAD_IPC_TOKEN When set, protected JSON and legacy commands require a matching token at the socket.
Ping / Health Always token-exempt — liveness must answer even when authorization is in question.
Status (protected) Succeeds only when the supplied token matches; mismatched or absent tokens are refused.
Unix socket IPC is a local Unix-domain socket, not a network port. The trust boundary starts at the socket.

Legacy plain-text commands remain accepted for backwards compatibility under token mode, with the same liveness exemptions. The boundary is the socket and the token — not the wire format.

03

Persistence & state

Agents are shared-nothing. State is serialized through orthogonal persistence (“hyper-sleep”) and rooted under an explicit data directory you control.

Explicit data root

Trust and replay state live under LIRIAD_DATA_DIR. Revocations persist to revocations.json there; nothing is written to surprise locations.

Shared-nothing agents

No global state. An agent’s memory is its own; the host reads it for introspection via layout.json, but agents cannot reach each other’s.

Immediate revocation

trust revoke forces a score to 0.00 and the daemon honors it without a restart — a kill path that does not wait for a redeploy.

Replay over trust

A turn record is verified by re-running it, not by trusting the record. The audit does not require trusting the daemon as a narrator.

04

v0.1.0 maturity

What is enforced today, what is roadmap, and where determinism stops. We would rather you know the limits than discover them.

shipped

WASM sandbox, capability-gated host functions, fuel/memory metering, token-gated IPC, trust scoring with immediate revocation, deterministic replay with BLAKE3 turn records.

roadmap

Signed-artifact verification before instantiation, secure enclaves (Nitro / SGX), and proof-carrying outcomes are Epoch-3+ roadmap items — not in v0.1.0. We do not claim them.

scoped

Determinism is scoped to the platform. An LLM is not deterministic; Liria records its full I/O (model id, params, prompt, tool results) as input and replays the platform’s decisions around it.

Responsible disclosure

Found a hole? Tell us first.

If you find a security issue — in the sandbox boundary, the policy interceptors, the IPC token model, or the replay chain — report it before disclosing publicly. Liria is OPEN source; the issue tracker and security policy live in the repository.

Security policy on GitHub