Sign in Request access

Security

VaultCrux Shield

Security controls are presented as operational behavior, not slogans.

Shield modules

Trust registry: pin and validate trusted server digests.
Capability firewall: deny by default; explicitly allow safe capability paths.
Taint engine: tainted content cannot trigger dangerous actions.
Approval gate: propose, approve, execute with signed receipts.
Sandbox runner: isolate risky tools during execution.
UI sandbox: restrict untrusted tool UI behavior.

VaultCrux Shield module map linking trust registry, capability firewall, taint engine, and approval gate

Tool UI cannot present approvals; only VaultCrux chrome can.

In plain English: if content is tainted or untrusted, it can be read, but it cannot directly trigger dangerous actions.

Request security review Read legal docs