As autonomous AI agents proliferate in enterprise environments, the security model governing their access to sensitive data and systems has not kept pace. The dominant pattern — long-lived API credentials stored alongside the agent on a cloud server — creates a single point of compromise. MahaGuardian is a cryptographic information-barrier platform that separates where authority over AI agents is defined from where it is enforced. The owner retains sole cryptographic control over what agents are permitted to do. The always-on cloud infrastructure can only operate within pre-authorized bounds.
An AI agent deployed to manage customer relationships needs access to a CRM. An agent drafting emails needs access to a mail service. An agent analyzing financial data needs database read permissions. In every case, the agent requires credentials to do its work.
In the dominant deployment model, credentials are stored on the same cloud server that runs the agent. A single compromise exposes everything. The enforcement layer can grant new permissions. There is typically no mechanism for the owner to independently verify what the enforcement layer did while the owner was not watching.
When multiple agents operate within the same organization — one handling client A's data, another handling client B's — the information barrier between them is typically enforced by policy, not by architecture. A misconfigured permission, a shared credential store, or a compromised orchestration layer can leak data between partitions. In regulated industries, this is a compliance failure.
Separate authority definition from enforcement. The party that defines what agents are allowed to do is architecturally distinct from the party that carries out those instructions. Compromising the cloud does not grant the ability to define new authority.
Cryptographic enforcement. Permissions are enforced through cryptographic signatures, not through access-control lists or configuration files that can be edited by a compromised system.
Short-lived, scoped credentials. Agents receive credentials that are both time-limited and scope-limited. Credential lifetimes are short enough that compromise of a single credential has bounded impact.
Tamper-evident audit. Every credential issuance and agent action is logged in a tamper-evident audit trail that the system owner can verify after the fact.
MahaGuardian V1 is a functional Guardian Daemon running on the system owner's device, managing credentials, rules, and audit for isolated AI agent deployments.
Agent credentials are stored in an encrypted vault using age encryption. The age identity key is wrapped with an AES-256-GCM key derived from the owner's passphrase via scrypt. Salt and nonce from os.urandom.
Agent rules are defined in a TOML file signed with ed25519. The Guardian verifies the signature before loading any rules. A hash ledger tracks the integrity of all signed artifacts and is itself signed.
An append-only SQLite audit log records every event. Each entry includes a SHA-256 hash of the previous entry, forming a hash chain. The SQLite authorizer blocks UPDATE and DELETE operations.
Agents run on isolated cloud droplets connected to the Guardian via mutual TLS. Each agent receives short-lived, scoped tokens held in memory only. Agents are partition-blind: they cannot discover other agents' credentials or data.
970 passing tests covering credential operations, signature verification, hash-chain integrity, access-control enforcement, deployment workflows, and input sanitization.
mlock protects raw buffers but CPython's string interning and GC mean parsed credential values may exist in copies.MahaGuardian's architecture is designed to evolve toward stronger separation between credential management, agent execution, and audit verification. Future versions will extend the cryptographic guarantees of the current Guardian Daemon into production cloud deployments with independent audit verification.
This future architecture is under development. Details will be published as the implementation matures and relevant intellectual property protections are in place.
| Component | Technology |
|---|---|
| Language | Python 3.11+ |
| Vault encryption | age (via pyrage) |
| Key wrapping | AES-256-GCM (via cryptography) |
| KDF | scrypt (via cryptography) |
| Rule signing | ed25519 (via PyNaCl) |
| Audit log | SQLite (append-only, hash-chained) |
| Agent transport | mutual TLS |
| Agent hosting | Hetzner cloud |
See the repository for full setup and configuration.
Birgisson, A., et al. (2014). Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud. NDSS 2014.
Laurie, B., Langley, A., Kasper, E. (2013). Certificate Transparency. RFC 6962.
SPIFFE. Secure Production Identity Framework for Everyone. spiffe.io
W3C. Trace Context. w3.org/TR/trace-context/