Agent safety is mostly architecture, not patches. Tutti was designed so the safe path is the easy path: secrets stay out of prompts, tool inputs are sanitised, outputs are quarantined, destructive actions pause.
SecretsManager redacts known patterns (Anthropic, OpenAI, GitHub, Google, Bearer tokens) from event payloads, error messages, and tool outputs. Provider keys are resolved with `SecretsManager.optional()` — never logged, never serialised, never written to disk.
Every voice declares its `required_permissions` (filesystem, network, shell, browser). The PermissionGuard enforces them at runtime — an agent without `network` cannot make HTTP requests, regardless of what the LLM tries to do.
All tool inputs are validated with Zod schemas. PathSanitizer blocks `/etc/passwd`, `~/.ssh`, `/proc`, `/sys`, `/dev`. UrlSanitizer blocks `file:`, `javascript:`, `data:`, and private network ranges. Tool calls are rate-limited (`max_tool_calls` default 20) and time-limited (`tool_timeout_ms` default 30s).
PromptGuard scans every tool result before it reaches the model. Pattern-matching detects known injection payloads, structural validation rejects schema-violating output, and boundary markers wrap untrusted content the model is trained to recognise as data.
Tools marked `destructive: true` (post, delete, send, pay) automatically pause for operator approval via the InterruptStore — even with no `requireApproval` config. Operators approve or deny via the `tutti-ai interrupts` TUI, the SSE stream, or the REST API.
Per-agent budgets cap token usage and cost. The agent loop is halted when the budget is exceeded — no runaway loops, no surprise invoices. Score-file validation (Zod) rejects negative limits and dangling references at load time.
Email security@tutti-ai.com with the details. We acknowledge within 48 hours and target a fix within 7 days for critical issues. Please don’t open public issues for security reports.
We follow responsible disclosure. Researchers are credited in release notes (or kept anonymous on request).
Tutti is open-source software you self-host on your own infrastructure. There is no Tutti-operated cloud service today, so there is nothing for SOC 2, ISO 27001, HIPAA, or similar audits to attest to. Your compliance posture is whatever your own infrastructure carries — Tutti runs as a Node process inside it, with the security defaults documented above.
If a hosted offering ships in the future, this section will say what it covers and what it does not — never before the audit is real.