Read-only first
Agents start in scoped, observable modes before any external effect or production write is considered.
Security posture
Designed for controlled agents, not blind automation.
FridayOS treats agent work as an operational system: identity-scoped, workspace-bound, provider-aware, reviewable and auditable before it becomes production execution.
default stanceRead-only → Review → Approve → Execute
External effects and production-impacting writes should be gated, logged and reversible where possible.
Security principles
Review for sensitive actions
External effects, production-impacting changes and high-risk tool use should require explicit approval.
No secret leakage
Provider health and readiness checks expose configured state without returning raw key values.
Replayable operations
Execution should leave a ledger trail with artifacts, jobs, usage and black-box audit records.
OWASP Agentic AI Top 10 — Coverage
6 covered3 partial1 gapof 10
| ID | Risk | Status | Evidence |
|---|---|---|---|
| ASI01 | Agent Goal Hijack Adversarial inputs redirect agent goals. | Covered | Firewall approval engine + write-policy.ts |
| ASI02 | Tool Misuse Tools invoked outside intended scope. | Covered | Tool passport + approval-engine scope check |
| ASI03 | Identity & Privilege Abuse Agents assume higher privileges than granted. | Covered | Identity-boundary adapter + actor session binding |
| ASI04 | Supply Chain Compromised dependencies or adapters. | Partial | npm audit (2 moderate) + adapter allowlist |
| ASI05 | Code Execution Untrusted code execution by agent. | Covered | Runtime sandbox + exec approval gate |
| ASI06 | Memory Poisoning Corrupting agent memory to alter behavior. | Covered | JSON store with audit log + write-policy integrity checks |
| ASI07 | Insecure Communication Unencrypted or unauthenticated agent channels. | Covered | Bearer token on bridge + HTTPS via Cloudflare |
| ASI08 | Cascading Failures One agent's failure breaks others. | Partial | Adapter fallback chain; no circuit breaker yet |
| ASI09 | Human Attack Vector Social engineering through agent output. | Partial | Firewall evaluates; no human-in-the-loop UI yet |
| ASI10 | Overwhelming Agent Resource exhaustion through prompt flooding. | Gap | Rate limiting not implemented; planned for next sprint |
Verification
Security is only real when the gates are testable.
FridayOS keeps security decisions visible through identity boundary checks, workspace validation, write policy, firewall review, provider redaction and API contract tests.