Connection lost
Trying to reconnect…
Server didn't respond
Recovering…
Security & compliance
Built so your security team says yes.
emisar exists because giving an LLM raw shell access is reckless. Every layer here is designed so the LLM is the least-privileged participant in the system — and every action is auditable.
Trust boundary
Who can do what, by design.
The LLM is never trusted with privileged execution. It can only request actions from a catalog your team has reviewed.
Claude, Cursor, or ChatGPT asks for one catalog action over MCP — with a required reason. It never gets a shell, and undeclared commands don't exist to it.
Evaluates policy, checks scope and pack trust, routes, and writes the audit. A risky action waits for a human — and it never executes a shell itself.
Outbound WSS only — the host dials out, nothing listens. A non-root service user re-validates every argument against the schema, re-verifies the pack hash, drops to least privilege, runs argv arrays (never a shell string), and redacts before egress.
Every input, output, exit code, and redaction — a SHA-256-chained JSONL journal on the host, mirrored to the searchable cloud audit and streamable to your SIEM.
Data handling
Boring, defensible defaults.
TLS-only transport
Runners connect to the control plane over WSS using TLS 1.2+. A bootstrap key is exchanged for a per-runner token that can be revoked from the dashboard.
No inbound connections to runners
Runners are outbound-only. No ports to expose, no firewall holes, no NAT traversal. Your hosts initiate every connection.
Hash-chained audit journal
Every action is recorded to an append-only JSONL audit on the host, with each
line carrying the SHA-256 of the previous entry. Any edited line or break in the
chain is caught by emisar audit verify; the
cloud audit is the durable system of record.
Hash-pinned packs
Action packs are content-addressed. New, custom, or changed hashes block dispatch until an admin trusts the contents. Before execution, the runner recomputes the cloud-pinned hash and rejects a mismatch. This is content integrity, not publisher signing — the runner trusts the exact bytes an admin approved.
Secrets redacted before egress
20+ built-in patterns — AWS keys, common provider tokens (GitHub, Slack, Stripe, OpenAI, …), JWTs, bearer and basic auth, private-key blocks, and secret assignments — plus your own per-action rules scrub stdout and stderr on the runner before anything is forwarded. The control plane receives only the redacted stream; per-rule hit counts are recorded so you can see what was masked.
SIEM export, least-privilege token
The cloud audit is the searchable system of record. Stream it to your SIEM as NDJSON with cursor pagination, using a dedicated read-only audit key — so your SIEM never holds a token that can execute an action.
Organizational controls
The knobs your IAM team expects.
RBAC
Roles for owner, admin, operator, and viewer, plus per-user runner and runner-group scopes.
Scoped LLM access
Each MCP key is scoped — read-only, execute, or audit-only — with its own user attribution and runner filters. Keys are revocable and inherit their creator's runner scope at call time — revoke the user and every key they minted shrinks with them.
MFA
TOTP (RFC 6238) on every plan, with one-time recovery codes and replay protection. Enforce it org-wide with one switch.
SSO & SCIM
OIDC sign-in (Team and Enterprise) with Google Workspace, Okta, or Keycloak, plus SCIM directory sync (Enterprise). Offboard someone in your IdP and their emisar sessions and keys are revoked automatically — see the docs.
Independent standard
Built for “assume breach.”
Anthropic — the lab behind Claude — published Zero Trust for AI Agents, a framework for giving autonomous agents access to real systems: least agency, deny-by-default tools, human approval for high-risk actions, and an immutable audit trail. emisar enforces that control set — and assumes the agent may already be compromised, so a jailbroken or prompt-injected model still can't exceed the declared, gated, audited catalog.
Local admission control
Beyond the cloud policy, an operator can set an allow/deny list on the runner itself. Denied actions are hidden from the catalog and refused at execution — fail-closed, even against a compromised control plane. The host always has the last word.
Signed dispatch — the cloud can't act for you
A runner can be set to refuse the control plane's authority entirely: it runs only an action a real person signed in their own MCP client, with an Ed25519 key that never leaves their machine. A fully compromised emisar control plane can relay that signed request — it can never forge, alter, replay, or originate one. The signature, not the cloud, is the authority. Opt-in per runner; a runner can only make itself stricter.
Responsible disclosure
Found a security issue? We want to hear about it. Email security@emisar.dev with a description and reproduction steps. We acknowledge within one business day and credit reporters in our security advisories.
Full policy in SECURITY.md.
Ready to evaluate emisar for your team?
Start free on the Free plan, or book a walkthrough and bring your security team's questions.
Three runners. Seven-day audit. No credit card.