Trust Center
Triggerfish enforces security in deterministic code below the LLM layer — not in prompts the model might ignore. Every policy decision is made by code that cannot be influenced by prompt injection, social engineering, or model misbehavior. See the full Security-First Design page for the deep technical explanation.
Security Controls
These controls are active in the current release. Each is enforced in code, tested in CI, and auditable in the open-source repository.
| Control | Status | Description |
|---|---|---|
| Sub-LLM Policy Enforcement | ACTIVE | Eight deterministic hooks intercept every action before and after LLM processing. The model cannot bypass, modify, or influence security decisions. |
| Data Classification System | ACTIVE | Four-level hierarchy (PUBLIC, INTERNAL, CONFIDENTIAL, RESTRICTED) with mandatory no-write-down enforcement. |
| Session Taint Tracking | ACTIVE | Every session tracks the highest classification of data accessed. Taint only escalates, never decreases. |
| Immutable Audit Logging | ACTIVE | All policy decisions logged with full context. Audit logging cannot be disabled by any component of the system. |
| Secrets Isolation | ACTIVE | Credentials stored in OS keychain or vault. Never in config files, storage, logs, or LLM context. |
| Plugin Sandboxing | ACTIVE | Third-party plugins run in a Deno + WASM double sandbox (Pyodide). No undeclared network access, no data exfiltration. |
| Dependency Scanning | ACTIVE | Automated vulnerability scanning via GitHub Dependabot. PRs opened automatically for upstream CVEs. |
| Open Source Codebase | ACTIVE | Full security architecture is Apache 2.0 licensed and publicly auditable. |
| On-Premises Deployment | ACTIVE | Runs entirely on your infrastructure. No cloud dependency, no telemetry, no external data processing. |
| Encryption | ACTIVE | TLS for all data in transit. OS-level encryption at rest. Enterprise vault integration available. |
| Responsible Disclosure Program | ACTIVE | Documented vulnerability reporting process with defined response timelines. See disclosure policy. |
| Hardened Container Image | PLANNED | Docker images on Google Distroless base with near-zero CVEs. Automated Trivy scanning in CI. |
Defense in Depth — 13 Independent Layers
No single layer is sufficient alone. If one layer is compromised, the remaining layers continue to protect the system.
| Layer | Name | Enforcement |
|---|---|---|
| 01 | Channel Authentication | Code-verified identity at session establishment |
| 02 | Permission-Aware Data Access | Source system permissions, not system credentials |
| 03 | Session Taint Tracking | Automatic, mandatory, escalation-only |
| 04 | Data Lineage | Full provenance chain for every data element |
| 05 | Policy Enforcement Hooks | Deterministic, non-bypassable, logged |
| 06 | MCP Gateway | Per-tool permissions, server classification |
| 07 | Plugin Sandbox | Deno + WASM double sandbox (Pyodide) |
| 08 | Secrets Isolation | OS keychain or vault, below LLM layer |
| 09 | Filesystem Tool Sandbox | Path jail, path classification, taint-scoped I/O |
| 10 | Agent Identity & Delegation | Cryptographic delegation chains |
| 11 | Audit Logging | Cannot be disabled |
| 12 | SSRF Prevention | IP denylist + DNS resolution checks |
| 13 | Memory Classification Gating | Write at own level, read down only |
Read the full Defense in Depth architecture documentation.
Why Sub-LLM Enforcement Matters
Most AI agent platforms enforce security through system prompts —
instructions to the LLM saying "do not share sensitive data." Prompt injection attacks can override these instructions.
Triggerfish takes a different approach: the LLM has zero authority over security decisions. All enforcement happens in deterministic code below the LLM layer. There is no pathway from LLM output to security configuration. :::
Compliance Roadmap
Triggerfish is pre-certification. Our security posture is architectural and verifiable in source code today. Formal certifications are on the roadmap.
| Certification | Status | Notes |
|---|---|---|
| SOC 2 Type I | PLANNED | Security + Confidentiality trust services criteria |
| SOC 2 Type II | PLANNED | Sustained control effectiveness over observation period |
| HIPAA BAA | PLANNED | Business associate agreement for healthcare customers |
| ISO 27001 | PLANNED | Information security management system |
| Third-Party Penetration Test | PLANNED | Independent security assessment |
| GDPR Compliance | PLANNED | Self-hosted architecture with configurable retention and deletion |
A Note on Trust
The security core is open source under Apache 2.0. You can read every
line of policy enforcement code, run the test suite, and verify claims yourself. Certifications are on the roadmap. :::
Audit the Source
The full Triggerfish codebase is available at github.com/greghavens/triggerfish — Apache 2.0 licensed.
Vulnerability Reporting
If you discover a security vulnerability, please report it through our Responsible Disclosure Policy. Do not open public GitHub issues for security vulnerabilities.