Model-side malicious instruction.
A prompt injection or tampered instruction tries to leak secrets, damage files, or call a hostile endpoint. Picasso treats model requests as untrusted until the harness checks the action.
picasso / security / threat-modelindexed
Security
Threat model
The risks Picasso is designed around.
Model-side malicious instructionA prompt injection or tampered instruction tries to leak secrets, damage files, or call a hostile endpoint. Picasso treats model requests as untrusted until the harness checks the action.
MCP server compromiseA third-party capability server attempts to exceed its declared permission profile. Picasso keeps server permissions explicit and records tool use in the session.
Local code execution riskGenerated or tested code behaves destructively when run through shell or test tools. Approval gates, shell policy, and workspace containment set the boundary.
Threat surfaces.
MCP server compromise.
A third-party capability server attempts to exceed its declared permission profile. Picasso keeps server permissions explicit and records tool use in the session.
Local code execution risk.
Generated or tested code behaves destructively when run through shell or test tools. Approval gates, shell policy, and workspace containment set the boundary.
Provider secret misuse.
A stale, staged, disabled, or break-glass-denied provider key should not become an invisible model route.
Primary boundaries.
Picasso assumes that useful agents need tools, and tools need limits. The boundary is visible before the action, not explained after the fact.
trust boundaryoutside the agent loop
generated codeclean
model outputclean
tool resultsclean
plan documentsclean
routingnot influenced
memoryretrieval only
Workspace root.
File operations resolve absolute paths and deny escapes unless the user explicitly grants scope.
OS sandbox.
macOS, Linux, and Windows use native containment where available.
Network egress.
Tool and MCP network calls pass through allow and deny policy.
Approval gates.
Writes and destructive actions surface blast radius before execution.
Provider vault.
Provider key promotion, validation, rotation, disablement, and denial records are treated as security evidence.
Audit log.
Mode changes, approvals, denials, network violations, outside-workspace attempts, and secret detections are written to a tamper-evident HMAC chain. The log gives teams a local record of the decisions that mattered.
Sponsor boundary.
The sponsor runtime has no path into model output, tool results, plans, generated code, memory retrieval, model routing, or subagent dispatch. Sponsorship supports access without entering the work.