Threat Model

Harness is local-first and single-owner by default.

The main threats are external: network attackers, hostile inputs, compromised extensions, confused-deputy tool calls, unauthorized secret access, and unreviewed workspace mutation.

The owner and owner-authorized agent are the trust context. If the owner grants an agent shell access, the harness must not pretend that hiding a tool result is security. Capability level is the security boundary.

v0 controls:

• broker all extension authority through Kratos
• deny or ask for dangerous git and filesystem actions
• store audit records for material decisions
• hash-chain event and audit logs
• keep private project doctrine outside distribution repos
• avoid cloud database or hosted sync requirements

Multi-tenant isolation is a future opt-in mode, not the default.