Skip to content
Sylo

Security Model

What Sylo protects against

Section titled “What Sylo protects against”
ThreatHow
Agent leaking API keysKeys never enter the sandbox — injected on the wire
Agent calling unauthorized APIsPolicy enforcement blocks disallowed domains/methods/paths
Agent exfiltrating dataDefault-deny policies restrict outbound access
Credential theft at restAES-256-GCM encryption in the database
Session hijackingPer-sandbox tokens with TTL, revocable instantly
PII in API requestsPattern-based detection with redact/block actions

What Sylo does NOT protect against

Section titled “What Sylo does NOT protect against”
ThreatWhy
Agent with root accessRoot can tear down iptables and bypass the proxy
Sandbox escapeThat’s the sandbox provider’s job (E2B, Docker isolation)
Compromised gatewayIf the gateway is compromised, credentials are exposed

Sandbox requirements

Section titled “Sandbox requirements”

The agent must not have root access. With root, the agent can iptables -F to tear down proxy rules and access the internet directly.

ProviderRoot accessAction needed
E2BNon-root by defaultNone
DockerRoot by defaultAdd USER to Dockerfile
ModalgVisor (virtualized root)Use proxy mode

Credential encryption

Section titled “Credential encryption”

Credentials are encrypted at rest using AES-256-GCM:

Plaintext: "Bearer sk-proj-abc123..."
Stored as: "ENCRYPTED:<base64(nonce + ciphertext + tag)>"

The encryption key is a 64-character hex string (32 bytes). Credentials are decrypted only in memory during request processing.

Network architecture

Section titled “Network architecture”
                    ┌──────────────────────────────┐
                    │        Sylo Gateway            │
                    │                                │
Sandbox ──TLS──▶  Tunnel Server (:8443)             │
                    │    │                           │
                    │    ▼                           │
                    │  mitmproxy (:8080)              │
                    │    ├── reads session from Redis │
                    │    ├── injects credentials      │
                    │    ├── enforces policies        │
                    │    └── writes audit to Postgres │
                    │         │                      │
                    │         ▼                      │
                    │    Real API                     │
                    └──────────────────────────────┘

Reporting vulnerabilities

Section titled “Reporting vulnerabilities”

If you find a security vulnerability, please report it via GitHub Security Advisories.