A Security Paradigm for Agentic Autonomy.

SoyAgent is designed to solve the fundamental challenge of modern AI architecture: granting autonomous systems deep tool access without expanding the attack surface.

Isolation & Credential Layer

Secret Injection Proxy

The reasoning engine generates unauthenticated intent. The proxy intercepts egress, terminates TLS, and injects Authorization headers from an isolated Vault.

RFC 8693 Token Exchange

Linux Mount Namespaces

Physical isolation at the kernel level. Bind-mount only explicitly approved directories. Sensitive host files remain invisible to the agent.

Bubblewrap / Firecracker

AgentFS (SQLite Virtualization)

All file operations are routed to SQLite. Modifications create differential deltas, ensuring host files are never overwritten directly.

Copy-on-Write Auditing

Orchestration & Persistence

Plan-and-Execute DAGs

State Serialization

Separate cognition from execution. A Director Agent builds a structured plan, which is compiled into a deterministic LangGraph state machine.

ARCHITECTURE FLOW

PLAN_NODE -> DAG_COMPILER -> EXECUTOR_QUEUE

[CHECKPOINT] -> PERSIST_STATE(sqlite) -> NEXT_NODE

Durable Background Workers

Trigger.dev Integration

Tasks checkpoint state after every step. If the server crashes, SoyAgent resumes precisely where it left off without duplicating work.

ARCHITECTURE FLOW

PLAN_NODE -> DAG_COMPILER -> EXECUTOR_QUEUE

[CHECKPOINT] -> PERSIST_STATE(sqlite) -> NEXT_NODE

Decoupled Authorization (CIBA)

SoyAgent uses the **Client-Initiated Backchannel Authentication** standard to manage Human-on-the-Loop approvals. When a sensitive tool is invoked, the agent doesn't block—it hibernates.

Agent serializes its entire memory and reason trace.

Push notification delivered to authorized mobile device.

Cryptographic grant restores execution node.

Memory Layer Persistence

Working Memory Redis / 1ms

Episodic Memory SQLite / 5ms

Semantic Memory Vector DB / 15ms