Constraint Dynamics  /  Security
Security posture · bounded claims · reviewer-friendly

A boundary, not a brochure.

Constraint Native is a narrow, local, in-process boundary. This page describes what it does, what it does not do, and how a reviewer should evaluate it. The claims are bounded; the non-claims list is explicit so the scope is unambiguous.

Hierarchy: Golem governs what can be said; Constraint Native governs what an agent can do.

Request the funding packet See proof artifacts
01 · Scope

What is in scope.
What is out.

The current scope is intentionally narrow. Hardening, second-platform alpha, and external review are funded work — not pre-funding promises.

In scope

  • Local Agent Firewall + MCP Gateway, in-process with the coding agent
  • File / shell / MCP / network governance with deny-by-default posture
  • Capability brokering, taint tracking, approval routing, canary-secret blocks
  • Ed25519-chained signed event log, replay-audit walkthrough
  • macOS alpha · single-developer workspace
  • Bounded blast-radius reporting per session

Out of scope

  • Compliance certification claims (SOC 2, FedRAMP, HIPAA, ISO)
  • Endpoint isolation, sandbox containment, hypervisor-grade boundaries
  • Replacement for IAM, EDR, DLP, secure code review, or human judgment
  • Hosted multi-tenant gateway (we are local-first and in-process)
  • Perfect prompt-injection prevention guarantees
  • Cross-platform GA — Linux/Windows alphas come after the bridge proof is reproducible
02 · Threat / Control / Evidence

What we model.
How we contain it.
How a reviewer can check.

The boundary is small enough that a reviewer can hold the entire model in their head. Each row maps a concrete threat to a concrete control to a concrete piece of evidence in the proof artifact.

Threat
Control
Evidence
Prompt injection in tool output
Taint tracker quarantines tool output before downstream use
Quarantine event in chain · tainted memory not written
Unauthorized workspace mutation
Path-scoped file policy · deny-by-default writes
Denied file.write event · blast-radius excludes mutation
Secret exfiltration via output
Canary-secret pattern detection · output filter
Denied secret.output event · canary token never emitted
Egress to unapproved network
Egress allowlist · default deny
Denied network.request event · allowlist evaluated
Elevated shell without human review
Approval gate · human decision required
Approval.request + approval.decision events in chain
Tampered audit trail
Ed25519 chain · previous-hash linking
path.verify event · signature chain verified offline
Silent runtime failure
Session.start anchor + terminal verify event required
Missing terminal verify is a reviewer red flag
03 · Data handling

Local-first by default.
Telemetry off by default.

The proof artifact stays on the developer's machine until they choose to export it. There is no cloud control plane required for the boundary to work.

datahandling local
Where it runsIn-process with the local coding-agent clienton-device
Where logs liveOn disk, scoped to the workspace, signed locallyon-device
TelemetryOff by default · no network call required to functionopt-in
Proof exportManual export of signed proof artifact for reviewmanual
Secrets handlingCanary-secret patterns detected and blocked at outputfiltered
Update channelSigned installer · alpha release notes and checksumssigned
posture: local-first · proof-led · no cloud control plane no network egress required
04 · Reviewer checklist

What to verify in 30 minutes.

If you are reviewing the boundary, these are the seven checks that matter most. Anything that surprises you here is something we want to know about.

checklistreviewer · 30-minute open
Check 01The signed proof artifact loads, parses against the schema, and the chain verifies offline.→ chain
Check 02Every event has a previous-hash; the first event is a session.start; the last is a path.verify.→ envelope
Check 03Quarantine events appear before any memory.write of the same content; tainted output never reaches durable memory.→ taint
Check 04Denied write events match the path policy; .env or canary paths are never written.→ writes
Check 05Denied network events match the egress allowlist; no off-allowlist destinations succeed.→ network
Check 06Approval gate produces a request and a decision event; elevated shell never executes without an approve decision.→ approval
Check 07Blast-radius report aligns with the chain (no missing files, no missing denials).→ radius
artifact-led review · works offline if any check fails: hello@constraintdynamics.com
05 · Known gaps before external review

Trust starts with the unfinished edges.

These are planned diligence items, stated before a reviewer has to ask for them.

Before external review

  • Alpha currently scoped to macOS and single-developer workspace.
  • Full containment requires Constraint Native to own the launch boundary.
  • External audit is not complete yet.
  • Cross-platform behavior is not yet validated.
  • Fresh live proof export should be generated before diligence.
06 · Non-claims

Stated explicitly.

Constraint Native is bounded by design. The lines below are the ones we deliberately do not cross — at least, not yet, and not without external review.

Constraint Native is not

  • Compliance certification (SOC 2, FedRAMP, HIPAA, ISO 27001, etc.)
  • Full endpoint or hypervisor-level isolation
  • A perfect prompt-injection containment guarantee
  • A replacement for IAM, EDR, DLP, secure-code-review, or human judgment
  • A peer-reviewed or third-party-audited security product (yet)
  • A cross-platform GA — alpha-scope until external review and second-platform port
  • A clinical, medical, or consciousness-related product
Reviewer engagement

Want to pressure-test the boundary?

Engaging an external reviewer is a funded line item in this round. If you have threat-modeling or security-review experience and want to look closely, we want to hear from you.

Request the funding packet Grant path