Arcana runs AI agents in production. Security is not optional.
| Version | Supported |
|---|---|
| 0.x (current) | Yes |
Do not open a public GitHub issue for security vulnerabilities.
Email security@arcana.io with:
- Description of the vulnerability
- Steps to reproduce
- Affected components (CRD, service, protocol)
- Potential impact assessment
You will receive an acknowledgment within 48 hours and a detailed response within 7 days.
| Area | Examples |
|---|---|
| CRD validation | Bypassing schema validation or admission webhooks |
| Sandbox escapes | Breaking out of gVisor/Kata isolation |
| Tenant isolation | Cross-tenant data access or resource manipulation |
| Protocol handling | Injection, replay, or spoofing in MCP/A2A/ACP |
| Guardrail bypasses | Circumventing Ward content filters or OPA policies |
| Auth/authz | RBAC/ABAC policy bypasses via ArcanaRole |
| Secret handling | Exposure of credentials, tokens, or API keys |
| Supply chain | Compromised dependencies or container images |
Arcana implements security at every layer:
- Agent Plane — Sandboxed execution (gVisor/Kata), per-agent network policies
- Govern Plane — OPA constraint templates, KubeArmor runtime enforcement, Ward input/output filtering
- Ops Plane — mTLS between all services, secret rotation via External Secrets Operator
- Data Plane — Tenant-scoped data isolation, encrypted storage at rest
For implementation details:
- Sandbox Security — isolation architecture and controls
- TLS Setup — mTLS between services
- Secrets Management — ESO, Vault, rotation