Skip to content
monsys.ai

Security Architecture

Trust boundaries

┌─────────┐  HTTPS + Bearer + Ed25519-sig   ┌──────────┐    pgx    ┌──────────────┐
│  Agent  │ ──────────────────────────────▶ │  Hub API │ ────────▶ │ TimescaleDB  │
└─────────┘                                 └──────────┘           └──────────────┘
     │                                          │                        │
     │  WebSocket (emergency + console RPC)     │                        │
     ▼                                          ▼                        ▼
  Honeypots                                Dashboard                 Row-Level
  Process DNA                             (Next.js +              Security per
  inotify                              HMAC + TOTP cookies)        tenant_id


  Agent → Hub : Bearer token + X-Monsys-Signature (Ed25519 over sha256(body))
  Hub   → Agent : Ed25519 emergency / console-session tokens (5-checks verify)

Trust Model

  • Agent trusts hub — for verifying Ed25519 signatures on emergency tokens.
  • Hub does NOT trust agent — each ingest-payload is validated, batch size capped, rate limit enforced.
  • Hub trusts browser session only via HMAC-signed cookies (HttpOnly, Secure, SameSite=Lax, 8u TTL).
  • Multi-tenant isolation — Postgres Row-Level Security policies prevent tenant A from seeing data of tenant B, even in case of a SQL error in the hub code.

Cryptography

PurposeAlgorithm
Session cookie HMACSHA-256
Passwordsbcrypt cost 10
Emergency tokensEd25519
Agent payload signingEd25519 (per-agent keypair, TOFU pin)
TOTP (2FA login)RFC 6238 / SHA-1
TLSLet’s Encrypt (TLS 1.3)
Webhook signingHMAC-SHA256
Agent token storageSHA-256 hash, never plaintext
Console session integritySHA-256 over append-only audit log

Agent Integrity

Since May 2026, the hub requires Ed25519 signatures on each ingest-payload once the agent’s pubkey is pinned. Token theft alone is thus insufficient — see Agent payload signing.

The hub runs an IntegrityCheckWorker that every 10 minutes checks for six categories of anomalies (clock_drift, flat_metrics, version_downgrade, unsigned_payload, signature_invalid, cadence_anomaly). Open items require admin-review; resolved items remain stored as audit trail. See Agent integrity monitoring.

Multi-layer secrets

Three types of secrets, each separately rotatable:

SecretStorageRotation endpoint
Agent bearer token/etc/monsys/agent.toml (host)POST /api/v1/agents/:id/rotate-token
Agent signing key/var/lib/monsys/agent-signing.keyPOST /api/v1/agents/:id/rotate-signing-key
Hub Ed25519 privHUB_EMERGENCY_PRIVATE_KEY env (hub)manual via key-rotate script

See Token rotation for the procedure.

What Monsys does NOT protect

  • A compromised hub-API can give instructions to all agents. Protect the hub-OS (firewall, OS patching, MFA on SSH).
  • A compromised agent host can lie about its own telemetry. Detection: comparison between multiple hosts, process DNA.
  • Insider threats — a legitimate owner can fire emergency actions. Mitigation: audit log, optional 2-of-N approval for level 3 actions (in playbooks).