Architectural
transparency.

DecisionThe authorizer denies tool calls when OPA is unreachable.

WhyFor authorized agents, security takes precedence over availability. A missed authorization is worse than a paused agent.

ImplicationAn OPA outage stops all authorized agent activity until OPA recovers.

MitigationOPA health monitoring with sub-second alerts. Per-tenant override to fail-open for non-critical agent classes. OPA sidecar architecture minimizes network dependency.

DecisionEvery tool call passes through the authorizer before execution.

WhyPre-execution authorization is the architectural foundation. Post-hoc detection cannot prevent actions.

ImplicationAdds 5–30ms per tool call. OPA evaluation is sub-millisecond; the bulk is the network hop.

MitigationConnection pooling, local OPA sidecar, and async audit logging minimize overhead. For context, a typical LLM inference call takes 500ms–5s. The authorization layer is negligible relative to agent processing time.

DecisionSupport both Streamable HTTP and stdio MCP transports.

WhyMany local development tools (filesystem, shell) use stdio. Excluding them would leave an authorization gap.

Implicationstdio MCP backends are process-local and cannot be load-balanced or health-checked like HTTP backends.

MitigationHTTP backends recommended for production workloads. stdio supported for development and edge cases where local process binding is required.

DecisionSHA-256 chain with previous_hash linkage, not blockchain or distributed consensus.

WhyDistributed consensus adds latency with no authorization benefit for single-tenant audit chains. The threat model is tampering, not Byzantine fault tolerance.

ImplicationChain integrity depends on database access controls. A compromised database could theoretically rewrite history.

MitigationChain verification endpoint validates integrity on demand. Nightly background verification task. SIEM export provides an independent backup outside Behavry's control. External audit anchoring (S3 WORM bucket) on roadmap.

DecisionAnomaly detection compares against rolling behavioral baselines that accumulate over time.

WhyStatic thresholds produce false positives. Behavioral baselines adapt to each agent's actual usage pattern.

ImplicationNew agents have no baseline for the first N hours. Anomaly detection is less effective during this period.

MitigationConfigurable warm-up period. Manual baseline seeding for known agent profiles. Conservative alerting thresholds during warm-up. Allow / Deny / Intercept enforcement works from the first tool call regardless of baseline status.

Decision26 regex patterns across 7 categories. Deterministic, zero-latency, no external API dependency.

WhyPattern matching is fast, auditable, and does not introduce a dependency on an external ML service in the critical path.

ImplicationSophisticated exfiltration that avoids pattern signatures may not be caught by DLP alone.

MitigationInbound rules engine adds semantic matching for tool responses. Cross-session fragment reassembly detects credential splitting across sequential requests. Behavioral anomaly detection catches volume-based exfiltration that individual pattern matches miss.

DecisionSingle AWS EC2 with Docker Compose for the current deployment.

WhySeed-stage operational simplicity. One region, one stack, fast iteration.

ImplicationNo geographic redundancy. Single point of failure at the infrastructure level.

MitigationDocker Compose architecture is portable to any cloud or on-prem environment. Multi-region and multi-cloud deployment on roadmap. BYOC and Self-Hosted deployment models allow customers to run the stack in their own redundant infrastructure today.

DecisionUnrecognized tools from newly connected MCP servers are hidden by default until an admin classifies them.

WhyLeast privilege for cognition. An agent should not access tools that have not been evaluated and classified.

ImplicationNew tools from newly connected MCP servers are invisible to agents until an admin approves them.

MitigationAdmin notification on new tool detection. One-click approve in the dashboard. Bulk classification for servers with many tools. Auto-classification rules based on tool naming patterns.