Built around the trust model, not bolted on.

Credential vault

All third-party credentials (API keys, OAuth tokens, service account files) are stored in the CloudSwarm vault — encrypted at rest, decrypted only inside the agent execution sandbox, and never written to logs. The vault is backed by GCP Secret Manager with customer-controlled encryption keys on the Business and CanadianClaw tiers. Credentials are provisioned once and referenced by name; agents never hold cleartext secrets in their instructions or context window.

Policy DSL (Cedar substrate landing v1.1)

Every external action an agent wants to take passes through a policy evaluation. CloudSwarm v1.0 ships a Go-evaluated subset of Cedar's policy set; the full statically-typed Cedar evaluator lands v1.1. Either substrate cannot escape its sandbox: no eval, no shell-out, no network egress from inside a policy. CloudSwarm ships default policies at workspace creation; advanced users can author Cedar-shaped policies to restrict agents to specific hosts, HTTP methods, spend limits, and time windows. Policy violations are hard-blocked, not soft-logged.

Trust-model tiers

CloudSwarm agents run at one of five trust levels (L0 through L4). L0 is shadow mode: the agent observes but cannot act. L4 is fully autonomous. You promote an agent from one tier to the next after reviewing its behavior. Most production agents operate at L2 or L3, which means they act but wait for human approval on actions above a configurable spend ceiling. This is not a cosmetic feature; the execution engine enforces it at the call site, not at the UI layer.

Signed receipts

Every agent action produces an Ed25519-signed receipt compatible with the TrueCom protocol. Receipts are Merkle-chained and verifiable offline; they record which skill ran, which credential was used, the cost, and the outcome hash. Receipts are retained for the full contractual period and are exportable on request. The audit log is append-only; receipts cannot be deleted or modified after issuance.

Multi-tenancy isolation

CloudSwarm is multi-tenant by default. Tenant isolation is enforced at four layers: per-workspace credential namespacing, per-workspace policy namespace, per-workspace audit log index, and execution sandbox isolation on the Heroa substrate. A workspace's agents cannot read another workspace's credentials, policies, or logs. Enterprise customers receive single-tenant VPC isolation with a dedicated Heroa runtime instance.

CanadianClaw sovereign posture

CanadianClaw is the single-tenant BC Canadian deployment of CloudSwarm. It runs on dedicated Heroa infrastructure in Cube Global Vancouver colo. No data crosses the US border. The MSA is Canadian-entity, enforceable in BC courts. Personnel with access to the substrate are Canadian residents. SOC 2 report is in progress; a summary letter is available under NDA for Canadian public-sector procurement.

Network surface

The CloudSwarm platform API accepts traffic on HTTPS only (TLS 1.3 minimum). The managed skill-runner has outbound egress only to the allowed-listed hosts in your policy DSL. By default, no skill can reach hosts not in the vault's allow-list for your workspace. The allow-list is inspectable and exportable from the workspace settings panel.

Vulnerability disclosure

Security reports go to [email protected]. PGP key fingerprint is available on request. Critical reports are acknowledged within one business day and triaged within three. In-scope: vault isolation breaks, Cedar sandbox escapes, receipt forgery, multi-tenancy boundary violations, trust-tier enforcement bypasses. Out-of-scope: denial-of-service against the marketing site; social engineering. Eligible reports receive acknowledgment under our coordinated-disclosure program.