Malicious model instruction.
The model can ask for unsafe actions. The harness gates them.
Security
Built for risky work.
Permissions, sandboxing, network policy, and audit logs.
picasso / securityindexed
Security
Built for risky work
Permissions, sandboxing, network policy, and audit logs.
Malicious model instructionThe model can ask for unsafe actions. The harness gates them.
MCP compromiseExternal servers run with declared permissions.
Local execution riskShell, file, and network access are contained by mode.
ModeBehaviorsafe.Read and approved writes.auto.Safe classes can auto-accept.yolo.Unrestricted trusted-workspace mode for short-lived local work only.
What we assume.
MCP compromise.
External servers run with declared permissions.
Local execution risk.
Shell, file, and network access are contained by mode.
Six layers.
Workspace containment.
Default scope stays inside the workspace.
OS sandbox.
Seatbelt, Landlock, namespaces, or Windows job restrictions.
Shell policy.
Allowlists and denylists for risky commands.
Network egress.
Host allow and deny rules.
Approval-on-write.
Writes outside policy require approval.
Secret detection.
Potential secrets are detected before exposure.
Permission modes.
| Mode | Behavior |
|---|---|
| safe. | Read and approved writes. |
| auto. | Safe classes can auto-accept. |
| yolo. | Unrestricted trusted-workspace mode for short-lived local work only. |
| paranoid. | No terminal sponsor surfaces and stricter gates. |
Audit log.
The local audit log records mode changes, approvals, denials, network policy events, secret detections, and outside-workspace attempts. It is designed as a chain so tampering is visible.
Operational gates.
The admin control plane keeps sensitive production changes behind evidence, approvals, rollback references, and audit records. Routing, budget, setup, provider-vault, account, and usage surfaces show no-evidence states instead of pretending a gate passed.
Routing and budget canaries.
Health gates, metrics, timelines, rollout selectors, and failed-gate reasons can block activation.
Provider vault.
Alias health, staged rotation, emergency disable state, validation history, and break-glass denial evidence stay visible.
Usage evidence.
Managed usage, margin detail, settlement status, worker state, and redacted export artifacts are operator-visible.
Sponsor boundaries.
No sponsor output.
Sponsor content never enters model output.
No sponsor text in tool results.
Tool results stay untouched.
No sponsor text in code.
Generated files stay clean.
No routing influence.
Sponsors do not steer models, tools, or subagents.
No sponsor-network code access.
Sponsor partners do not receive prompts, outputs, or code.
Responsible disclosure.
A dedicated security contact is published the day Picasso opens. Reports should include the affected version, reproduction steps, impact, and any relevant logs. Picasso confirms receipt, investigates the boundary involved, and publishes security notes with scope, fixed issues, and residual risk when a public disclosure is appropriate.