Product documentation
Threat Model and Controls
Practical categories of risk and the controls that address them.
What is the Syndicate Code threat model?
Security claims in Syndicate Code are scoped by mechanism. The word "secure" is intentionally avoided unless a claim is tied to a specific mechanism, boundary, and testable scope.
"This means governance without visibility is incomplete visibility." — Syndicate Code design principle
Syndicate Code addresses practical risk categories through explicit controls in the local embedded control plane:
| Threat | Control |
|---|---|
| Prompt injection through repository content | Repository input is treated as untrusted; cannot override [policy] |
| Unauthorized side-effect execution | [Control plane] is the execution gate; permit/tool-layer validation enforces scope |
| Approval spoofing or misuse | [Digest] comparison at execution time; [event provenance] recorded |
| Insufficient post-incident traceability | Immutable [event store] with [event provenance] |
This is an [argument-bound] governance model: each [bounded claim] has explicit scope, exclusions, and failure conditions.
Why this control model exists
Three external signals shape the security posture for AI coding tool governance:
- Gravitee State of AI Agent Security 2026 reported 88% of organizations had a confirmed or suspected AI-agent incident in the prior year.
- The same report states only 47.1% of deployed AI agents are actively monitored or secured.
- The report also notes 25.5% of deployed agents can create and task other agents.
- It further reports 45.6% of environments rely on shared API keys for agent-to-agent authentication.
- OWASP ranked prompt injection as #1 in the LLM Top 10 (2025), which means input-driven instruction override is a live risk category.
These numbers do not prove Syndicate Code prevents incidents. They define why execution-layer governance, attribution, and bounded claims are required.
The essential control question is: who approved the side effect, with which exact arguments, under which policy version?
This means a security posture without execution attribution is incomplete for AI coding workflows.
Direct answer
Syndicate Code is a governance layer, not a security product. Current implementation provides:
- Policy enforcement — Control plane evaluates policy before execution
- Approval + permit flow — Approvals and permits gate execution before side effects
- Event attribution — Every execution is recorded with actor and policy context
"Within enforced execution paths, approval binding denies execution when normalized arguments diverge from the approved digest by any amount." Scope: traced code paths with enforcement. Exclusions: bypass paths, indirect execution, control plane unavailability, normalization bugs, over-permissive tool definitions.
What it does NOT prevent:
- Operator approval of harmful but syntactically valid actions
- Misconfiguration of policy rules by administrators
- Data exposure from external systems outside declared tool boundaries
Control strategy
"Control plane separation ensures model runtime compromise does not bypass governance."
Zero-Trust Cryptographic Permits
Permits are time-scoped capability leases issued by the control plane. Tools act as Policy Enforcement Points (PEPs) requiring valid signatures before execution. Execution uses Two-Phase Validation (Pre-Execution intent check and Execution Boundary actual effect check) to ensure scope normalization.
Capability scopes
Separate read/write/execute/network capability scopes prevent over-permission.
Policy enforcement
Externalized policy checks execute before any execution—not within the model runtime.
"Policy checks externalized from the model runtime prevent policy manipulation within the enforced execution path." Scope: traced execution paths. Exclusions: indirect execution paths, control plane unavailability, bypass paths.
Governance-suspended mode
--governance-suspended disables interactive checkpoints only. It does not disable policy evaluation, permit issuance, or audit writes. --no-tui is an alias that starts a suspended session with reason headless_mode_implicit.
If the active policy bundle prohibits suspended mode for the workspace, or the workspace trust tier is below minimum_auto_permit_tier_if_suspended, the session is rejected at startup with an authoritative audit event.
Approval binding
Exact-action approval binding for sensitive operations ensures approved actions match executed actions.
"Digest comparison at execution time detects any argument divergence from the approved digest within enforced paths." Scope: traced code paths. Exclusions: normalization bugs, indirect execution paths, control plane unavailability.
Event lineage
Hash-chained events with actor and policy attribution enable deterministic replay.
"Append-only event records preserve execution provenance for audit."
Compliance mapping (operational)
Syndicate Code's controls map to common SOC 2-style audit questions:
- Who approved it? Event attribution stores approver identity.
- What exactly was approved? Approval binding stores normalized arguments + digest.
- Did authorization precede execution? Event sequence records checkpoint before side effects.
- Can records be altered silently? Hash chaining makes tampering detectable.
This mapping is infrastructure support, not automatic certification.
The critical distinction is that governance evidence is generated at the control plane boundary, not inferred from model output.
What this does not prevent
| Risk | Mitigation |
|---|---|
| Operator approves harmful action | Attribution is preserved; governance is your responsibility |
| Admin misconfigures policy | Policy review and incident drills are required |
| External system data exposure | Tool boundaries define scope; external calls are filtered |
Residual risk areas
"Residual risk is bounded by visibility—unknown gaps are the highest-risk gaps."
- Time lag between product changes and public-safe artifact publication (avg 72-hour window)
- Human review quality variance during high-volume approval queues — governance effectiveness depends on operator attention and expertise
- Incomplete public disclosure of internal controls while artifacts remain redacted
Scope note
The word "secure" is intentionally avoided unless a claim is tied to a specific mechanism, boundary, and testable scope. See the product claims for bounded guarantees with explicit exclusions.
Frequently Asked Questions
Is Syndicate Code a security product?
No. Syndicate Code is a governance and audit layer. It records what happened and who approved it—it does not prevent harmful actions. Whether you act on the information depends on your processes.
How does approval binding prevent prompt injection?
Approval binding compares the digest of the actual execution arguments against the approved digest. If the model injects different arguments after approval (even within the same session), execution is denied. Repository content cannot override approval state.
What happens if policy is misconfigured?
Policy misconfiguration results in incorrect enforcement. The event record preserves the policy version in force, enabling post-incident diagnosis. Replayability helps but does not prevent misconfiguration.
Can the model bypass the control plane?
The control plane is the execution gate. If a code path routes around the control plane API, execution occurs but is not governed or attributed. Direct execution paths are enforced; indirect paths are an explicit exclusion.
See also
- How It Works — [control plane] execution flow
- Architecture — system boundaries
- Approvals — approval binding mechanism
- Product Claims — bounded guarantees
- Constraints — deliberate design decisions