Ilura
GUIDE · ZERO-TRUST

What is a zero-trust AI agent?

A zero-trust AI agent treats every tool call and every file or API access as untrusted by default. A PolicyEngine evaluates each action, classifies it by risk level, and either auto-approves, requests user confirmation, or demands biometric verification. Every decision is written to a SHA-256-signed audit chain, so the entire history is cryptographically verifiable.

01Kimler için?

Zero-trust agent architecture matters most for:

  • Anyone handling sensitive data. Customer records, health information, financial documents — the agent must not touch the wrong folder.
  • Teams under compliance regimes. KVKK, GDPR, HIPAA, SOC 2, ISO 42001 — agent decisions must be auditable.
  • Developers using MCP in production. After Ox Security's April 2026 advisory, the MCP STDIO transport is considered RCE-by-design — defense must live in the application layer.

02Nasıl çalışır?

Zero-trust rests on four principles:

  1. Nothing is safe by default. Even a "read file" call is checked for path traversal, forbidden extensions, and pod boundaries.
  2. Risk levels. Low (read), medium (write), high (delete, network), critical (UI automation, subprocess spawn). Each level triggers a different approval flow.
  3. The user is the trust source. The model's "good intent" is not enough. Every risky step is shown to the user.
  4. Cryptographic audit chain. Each decision is hashed (SHA-256) and signed (P-256 ECDSA). Tampering breaks the chain mathematically.

03Ilura ile nasıl yapılır?

Ilura is the zero-trust architecture made concrete:

  • PolicyEngine. Every file_io, network, and subprocess call routes through security/policy.rs. Path canonicalization, allowlist domain check, quota enforcement, forbidden extension filter.
  • Approval bridge. Medium+ risk decisions are emitted as Tauri events to the React UI; the execution thread waits on a oneshot channel until the user approves or rejects.
  • Audit chain. SQLite database with SHA-256 hash linking and ECDSA signatures. verify_chain() validates end-to-end integrity.
  • MCP STDIO hardening. Response to Ox Security 2026-04-16 advisory: mcp::client::validate_stdio_spawn blocks risky binaries (sh, bash, curl, rm, sudo) and dangerous args (-c, -e, --eval). Every critical MCP spawn requires biometric approval.
  • Time Machine. Pre-write/delete snapshots. Mistakes are reversible.

04Sık sorulan sorular

Is zero-trust the same as sandboxing?

Sandboxing is a tool (macOS sandbox-exec, Linux bwrap, Windows AppContainer); zero-trust is an architecture. Sandboxing limits what code can do; zero-trust verifies every access in addition. Ilura uses both.

Why must the audit chain be hash-linked?

Hash chaining links each record to the SHA-256 hash of the previous record. Modifying any record breaks every subsequent hash. verify_chain() is a cryptographic proof of non-tampering.

What is the Ox Security MCP advisory?

On April 16, 2026, Ox Security disclosed that MCP SDKs (rmcp included) pass user-supplied command + arguments straight to the shell — RCE by design. Anthropic stated this is "by design"; no protocol patch is planned. Defense must be application-level. Ilura's answer: spawn_validator + binary/arg blocklist + biometric approval.

Does zero-trust slow things down?

Low-risk operations (read, list_directory) auto-pass with near-zero overhead. Medium+ risk decisions wait on user approval — this is a UX trade-off, not a performance one. Audit writes are async and batched.

How does this map to EU AI Act and ISO 42001?

Both frameworks require audit trails and human oversight for high-risk AI systems. Zero-trust architecture satisfies both directly. Ilura's audit chain is suitable for EU AI Act §29 (logging) and ISO 42001 §6.1.2 (risk management).

05İlgili sayfalar

yanındayım — Ilura