← Bridle

Security & threat model

Bridle gives an AI standing access to real machines. That is the most dangerous thing software can do, so the security design is the product. Here is exactly how it works — no hand-waving.

Separate intelligence from authority

The AI reasons; it never holds authority. It can only ever call a fixed set of capabilities. The decision to allow, ask, or refuse each one is made in code that sits between the AI and your devices — not in a prompt the AI could talk its way around.

No raw shell. Ever.

There is no shell.exec, no SSH passthrough, no “run this command” anywhere in the agent. Capabilities are specific, bounded verbs (restart this container, clear temp files older than 24 hours). A request for anything outside the registry is refused by default — the agent doesn't know how to do anything else.

Policy is enforced twice

Every action is checked cloud-side before it is dispatched, and again by the agent on the device, which keeps its own copy of your policy. A device in read-only mode refuses every write locally — even if the control plane itself were compromised and told it otherwise. Defense in depth, not a single gate.

The taint rule

The classic attack on AI agents is a prompt injection: hostile text hidden in a log file or a document that tries to hijack the AI. Bridle treats any action proposed after the AI has read untrusted content as tainted, and escalates it one tier — an ALLOW becomes an ASK, so a human sees it before it runs.

Outbound-only, least privilege

The agent dials out to Bridle over an encrypted connection. It never opens a port; nothing on the internet can reach into your machine. Each device authenticates with its own token (stored only as a hash), and you can revoke any device instantly.

Dry-run previews

Before you approve a change, Bridle shows what it would actually do — “would delete 1,045 files, free 1.3 GB, nothing outside the temp directory.” An approval you can't evaluate is theater; a preview makes it a real decision.

Receipts

Every action is written to an append-only log: what the AI requested, what policy decided, who approved, and what happened. Receipts are never deleted. They are how you verify — after the fact and forever — that the system did only what it was allowed to.

Signed binaries

The agent is distributed as a cryptographically signed binary. The one-line installer verifies the signature before it runs, so you can confirm you're running exactly what we published and nothing else.

Responsible disclosure

Found something? Email security@bridlehq.com. We welcome scrutiny — a control plane with access to people's machines has to earn trust continuously, not once.

This page describes the design as built. It will grow as Bridle does.