Security Architecture
OpenParallax implements the Parallax security paradigm: the system that reasons cannot execute, the system that executes cannot reason, and an independent validator sits between them. This is structural enforcement, not behavioral — it does not depend on the model's safety training, the prompt, or runtime checks the model could bypass.
This section documents every security mechanism in the system, organized by what category of threat each one mitigates.
Defense Mechanism Map
| Group | Mechanisms | What it protects against |
|---|---|---|
| Structural Isolation | Cognitive-executive separation, kernel sandbox, sub-agent recursion guard | A compromised LLM directly executing harmful actions |
| Action Validation | Shield (4 tiers), safe-command fast path, protection layer, denylist, IFC, hash verifier | Harmful tool calls proposed by the LLM reaching execution |
| State Protection | Chronicle, audit chain, memory isolation, OTR mode | Unrecoverable state corruption, evidence tampering, data persistence leaks |
| Input/Output Safety | Output sanitization, redaction, SSRF protection, HTTP header denylist, git flag injection prevention, tool call ID sanitization, identity validation, Ollama loopback restriction, setup wizard allowlist | Prompt injection, data exfiltration, credential leakage |
| Resource Limiting | Rate limit, Tier 2 budget, verdict TTL, Tier 3 hourly cap, crash budget, sub-agent caps, reasoning loop rounds | Resource exhaustion, runaway loops, denial of service |
| Cryptographic Foundations | Action hashing, canary tokens, agent auth token, audit hash chain | Tampering, impersonation, replay attacks |
Configurable vs Non-Negotiable
Some mechanisms are structurally fixed in the compiled binary — they cannot be disabled via configuration, environment variables, or any runtime API. Others have tunable parameters (policy presets, rate limits, budgets) while the mechanism itself remains active.
See Non-Negotiable Defenses for the full inventory of fixed mechanisms, and Hardening for the tuning guide.
Threat Model
The Threat Model maps each defense to specific threats from OWASP Top 10, OWASP Top 10 for LLM Applications, MITRE ATLAS, and CWE.
Information Flow Control
The IFC reference documents the policy-driven data classification and flow control system that prevents sensitive data from crossing sensitivity boundaries.
Related Documentation
- Shield Pipeline — detailed Tier 0–3 documentation
- Sandbox — kernel-level process isolation
- Audit — append-only hash-chained logging
- Hardening Guide — practical tuning workflows