Security

Defense in depth for AI agents

MUXI implements multiple security layers: transport encryption, authentication, secrets encryption, and user isolation.

Security Layers

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                Internet                 โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚      TLS/HTTPS (Transport Encryption)   โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚     HMAC Authentication (Server API)    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚       API Keys (Formation Access)       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚     User Isolation (Data Separation)    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     โ†“
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   Encrypted Secrets (Credential Store)  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Authentication

Server API (HMAC)

The management API uses HMAC-SHA256 signatures:

Signature = HMAC-SHA256(secret, timestamp + method + path + body_hash)

Headers:

X-MUXI-Key-ID: MUXI_abc123
X-MUXI-Timestamp: 1705484123
X-MUXI-Signature: base64(signature)

Properties:

  • Time-limited - 5 minute window prevents replay
  • Request-bound - Signature includes request body
  • Tamper-proof - Any modification invalidates signature

Formation API (Keys)

Formations use simpler API keys:

Key Type Header Access
Admin X-Muxi-Admin-Key Full access
Client X-Muxi-Client-Key Chat only

Secrets Encryption

Why Not Environment Variables

Risk Env Vars MUXI
Visible in ps output โœ— Yes โœ“ No
Logged in crash dumps โœ— Yes โœ“ No
Leaked in CI/CD logs โœ— Often โœ“ Never

Encryption Details

  • Algorithm: AES-256-GCM
  • Key derivation: PBKDF2
  • Separation: .key stored separately from secrets.enc
formation/
โ”œโ”€โ”€ secrets.enc    # Safe to commit
โ””โ”€โ”€ .key           # NEVER commit

There's no recovery without the .key file. This is intentional security.

Auditing & tool controls

  • All key actions (requests, tool calls, A2A) emit events to observability streams for audit.
  • Outbound tools/A2A should be allowlisted and scoped per formation; combine with rate limits and timeouts.
  • Prefer redirect-mode user credentials for enterprise; dynamic mode should be gated by accept_inline on the MCP server.

User Isolation

Memory Isolation

Each user's data is completely separated:

User A: "My API key is xyz"
        โ†“ Stored under user_a

User B: "What's my API key?"
        โ†“ Searches user_b namespace
        โ†’ "I don't have that information"

Multi-Tenant Support

Use compound user IDs for tenant isolation:

X-Muxi-User-Id: tenant_a:user_123
X-Muxi-User-Id: tenant_b:user_456

Tool Security

Filesystem Restrictions

# mcp/filesystem.afs
schema: "1.0.0"
id: filesystem
type: command
command: npx
args:
  - "-y"
  - "@modelcontextprotocol/server-filesystem"
  - "/home/user/documents"    # Allowed
  - "/home/user/projects"     # Allowed
  # /etc - Not listed = not allowed
  # /root - Not listed = not allowed

Never allow root (/) or sensitive directories in allowed_directories.

Credential Isolation

Each tool gets only its required secrets:

# mcp/github.afs - only gets GITHUB_TOKEN
schema: "1.0.0"
id: github
type: command
command: npx
args: ["-y", "@modelcontextprotocol/server-github"]
auth:
  type: env
  GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
  # Cannot access OPENAI_API_KEY or DATABASE_URL
# mcp/database.afs - only gets DATABASE_URL
schema: "1.0.0"
id: database
type: command
command: npx
args: ["-y", "@modelcontextprotocol/server-postgres"]
auth:
  type: env
  DATABASE_URL: "${{ secrets.DATABASE_URL }}"
  # Cannot access GITHUB_TOKEN

Network Security

TLS Configuration

Always use TLS in production:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;

Firewall Rules

# Allow HTTPS
sudo ufw allow 443/tcp

# Block direct server access (proxy handles it)
sudo ufw deny 7890/tcp

# Block formation ports from outside
sudo ufw deny 8000:9000/tcp

Production Checklist

  • Auth enabled: auth.enabled: true
  • TLS configured: HTTPS on all endpoints
  • Secrets encrypted: Using .key + secrets.enc
  • .key secured: Not in git, backed up safely
  • Firewall set: Only 443 exposed
  • Tool paths restricted: Minimal allowed_directories
  • Keys rotated: Regular rotation schedule
  • Logs reviewed: Not exposing secrets

Vulnerability Reporting

Report security issues to: security@muxi.org

We follow responsible disclosure and will:

  1. Acknowledge within 24 hours
  2. Investigate and provide timeline
  3. Credit reporters (unless anonymity requested)

Security Defaults

MUXI ships secure by default:

Setting Default Why
Auth Enabled Prevent unauthorized access
Secrets Encrypted No env var leakage
Filesystem Restricted No unrestricted access
Logging No secrets Secrets never logged

Next Steps

Authentication - HMAC setup details
Secrets - Managing credentials
Production - Deployment hardening


Home Docs SDKs
Star on GitHub