Security Guide
Savine treats security as a first-class feature. Every execution is containerised, network egress is tightly controlled, and permissions are granularly enforced.
Security Levels
You define the security_level inside the config block of your agent.json.
| Level | Network | File System | Available Tools | Max Timeout |
|---|---|---|---|---|
low | All outbound allowed | Full R/W /workspace | Standard + All Custom | 3600s |
medium | All outbound allowed | Restricted /sandbox | Standard only | 1200s |
high (Default) | Allowlisted domains only | Read Only | Hand-curated safe list | 300s |
critical | Blocked | Blocked | Deterministic logic only | 60s |
Sandbox Isolation (gVisor)
Every tool execution (e.g., python_exec) runs in an ephemeral Linux container.
- Savine uses gVisor, an application kernel that provides an additional layer of isolation between the container and the host OS.
- This mitigates high-risk "container escape" vulnerabilities often found in standard Docker environments.
- Reusing sandboxes across tasks is impossible. The environment is destroyed the millisecond a step completes.
Network Policies
The strongest defense against exfiltration is strict egress filtering. At the High security level, you must declare allowed outbound domains for the http_request tool:
json
"config": {
"security_level": "high",
"allowed_domains": ["api.stripe.com", "api.github.com"]
}Any ACT attempt by the LLM to access an unlisted domain triggers a SecurityViolationError explicitly blocking the execution step.
API Key Security
Savine uses a BYOK (Bring Your Own Key) model.
- Your keys are never hardcoded in configuration files. They are referenced via string identifiers (
key_ref: "GROQ_API_KEY"). - Keys are submitted via
savine config setand encrypted at rest using AES-256-GCM. - During execution, the AgentGraphEngine decrypts keys dynamically in memory, and strips them before writing execution traces.
Data Handling
- Task Inputs and Outputs are stored encrypted at rest.
- Execution traces (the THINK blocks containing LLM responses) are retained for 30 days by default.
- Data deletion is available on request, and via the
DELETE /api/v1/tasks/:idendpoint for Enterprise tiers.
Enterprise Security & Audit Logs
- Network: VPC peering available for private network tasks (e.g., querying an internal RDS database).
- Audit Logging: Every platform event (deploy, update, task run, key rotation) writes to an immutable audit ledger available for export to SIEM platforms like Datadog and Splunk.