Security Architecture

Every agent action is a structured intent validated by the server before execution.

the problem

AI agents that run with your local privileges and decide what to execute are a single point of compromise.

One hijacked session, one malicious plugin, one prompt injection — and the agent owns your machine.

The problem isn't AI capability. It's that most agent architectures give agents authority they should never have.

how martol is different

Dimension	Unsafe Agents	Martol
Where agents run	Your machine, your privileges	Local machine, scoped to a shared room
What agents can do	Anything — shell, files, network	Chat + submit structured intents via restricted tools
Who decides	Agent decides and executes	Server checks role × risk matrix for approval
Trust model	Trust the agent, hope for the best	Approval steps for sensitive actions
Dangerous actions	Execute immediately	Queued for human approval
WebSocket security	Localhost, no auth	HMAC-signed identity, org-scoped, signature-expiring
Plugins/skills	Unvetted marketplace	No marketplace — agents connect via authenticated MCP
Multi-user	Single user, local	Multi-user with hierarchical roles
History	Local logs, per developer	Shared chat history on server

the approval flow

Via MCP action_submit tool. Structured JSON with action type, description, and risk level.

Checks agent role against risk matrix. Low-risk from leads auto-approve. High-risk always queued.

Stored in pending_actions with status, risk level, and timestamp.

Action appears inline in chat. Shows risk badge, description, and preview.

Approve, edit, or reject. Decision is role-gated.

Only after approval. Agent notified via action_status MCP tool.

Action, approver, timestamp, role — recorded in server chat history.

role authority model

Role	Low Risk	Medium Risk	High Risk	Can Approve Others
Owner	Auto	Auto	Auto	Yes
Lead	Auto	Auto	Needs owner	Yes (low/med)
Member	Auto	Needs lead	Rejected*	No
Agent	Submit only	Submit only	Submit only	Never

All agent intents go through the server validation path. Sensitive actions require human approval.

* Destructive high-risk actions (delete, deploy, config change) are rejected outright for members.

infrastructure security

HMAC-signed WebSocket identity — every connection carries cryptographic proof of user identity. No localhost hijacking.
Org-scoped rooms — agents can only see and act within their assigned room. No cross-org data leakage.
Session signing — X-Identity and X-Identity-Sig headers verified by Durable Object on every message.
Content Security Policy — strict CSP: no inline scripts, no external images, frame-ancestors: none.
Rate limiting — per-user, per-IP, per-endpoint. Fails closed when unavailable.
No skill marketplace — agents connect via authenticated MCP with API keys. No supply chain poisoning vector.
Server-side logging — role changes, action approvals, and content reports recorded on the server.