Privacy & Sandboxing — Security Architecture Specification
Formal description of Hydite IDE client-side privacy tiers and local sandboxing
Scope: technical alignment document for security audits, compliance assessment, and enterprise procurement review. Not a substitute for the customer's internal risk assessment.
Conformance language: MUST / MUST NOT / SHOULD / MAY follow RFC 2119.
- Data residency (source code, project semantic index, prompt context, model responses, telemetry).
- Local process sandboxing (filesystem, commands, network, third-party plugin / MCP / Skill invocation).
- Availability and switching constraints of the three privacy tiers.
- Transport and trust relationship between the IDE client and the Hydite Vtslx AO gateway.
Out of scope: server-side governance of the gateway (see Vtslx AO docs); internal controls of customer-deployed local inference services — only the boundary with them is specified.
| Term | Definition |
|---|
| Code Asset | Source code, configuration, documentation and derivatives tracked by Git in the workspace. |
| Project Index | The code-semantic, symbol, call-graph and related-resource index built locally by Context Hub. |
| Prompt Context | Full text and structured fields assembled and submitted to the inference backend on a single LLM invocation. |
| On-device Model | A model whose inference runs entirely on the client host or a private service in its local network — no public-internet requests. |
| Reachable Cloud Model | Any model reached via the public internet, including SaaS APIs and third-party proxies. |
| Agent Tool Invocation | Any filesystem, command, network, MCP or Skill action performed by an Agent. |
| Customer-Controlled Domain | Execution environments under the customer's administrative control: client host, customer LAN, customer-hosted Vtslx AO gateway. |
CTL-<DOMAIN>-<NN> where <DOMAIN> ∈ CFG.
Simplified STRIDE, restricted to client-side privacy and sandboxing.
| Threat | Asset | Design goal |
|---|
| Information disclosure | Code, index, prompt context | MUST NOT leave the customer-controlled domain without explicit authorisation. |
| Elevation of privilege | Client FS, network, peripherals | Agent tool invocations MUST pass through the sandbox; out-of-scope actions denied and auditable. |
| Tampering | Project files, index, config | Third-party Skill / MCP MUST NOT write outside the authorised scope. |
| Replay & MITM | Transport with the gateway | All cross-network transport MUST use authenticated, encrypted channels. |
| Repudiation | Agent action traceability | Significant actions SHOULD leave a locally-readable audit record. |
| Denial of service | Client resources | Bounded envelopes; no SLA under extreme attack. |
1
T0: IDE main process
2
└─ T1: Agent tool sandbox (OS primitives)
3
└─ T2: Command / network sub-boundary
4
└─ T3: Third-party Skill / MCP
5
│ Only when mode allows + user authorises
6
▼
7
Vtslx AO gateway (Shared / Dedicated / Self-Hosted)
| ID | Boundary | Enforcement |
|---|
| CTL-BND-01 | T0 IDE process | Host OS process isolation |
| CTL-BND-02 | T1 Agent sandbox | macOS Seatbelt / Linux namespaces |
| CTL-BND-03 | T2 Command/network | Fine-grained policy within T1 |
| CTL-BND-04 | T3 Skill/MCP | Capability delegation within T1 |
| ID | Asset | Default residency |
|---|
| CTL-DAT-01 | Source / Git-tracked files | Customer-controlled |
| CTL-DAT-02 | Project semantic index | Customer-controlled (local) |
| CTL-DAT-03 | Agent worktree / temp branch | Customer-controlled (local) |
| CTL-DAT-04 | Prompt context | Determined by active privacy mode |
| CTL-DAT-05 | Model responses | Customer-controlled |
| CTL-DAT-06 | Client telemetry | Determined by user authorisation |
| ID | Tier | Formal definition |
|---|
| CTL-PRV-01 | High Privacy | For all of CTL-DAT-01..05, the asset MUST NOT leave the customer-controlled domain; inference MUST target on-device models only. |
| CTL-PRV-02 | Standard | Default tier; minimised prompt context (CTL-DAT-04) MAY be sent to user-authorised reachable cloud models; remaining assets MUST stay in the customer-controlled domain. |
| CTL-PRV-03 | Self-Hosted Enterprise | Inference MUST traverse a customer-hosted Vtslx AO gateway; no asset MUST transit Hydite-controlled network nodes. |
| Asset ↓ / Tier → | High Privacy | Standard | Self-Hosted |
|---|
CTL-DAT-01 Source code | Stays on host | Stays on host | Stays in customer VPC |
CTL-DAT-02 Index (build) | Local | Local | Local |
CTL-DAT-02 Index (storage) | Local | Local | Local |
CTL-DAT-04 Prompt context | Stays on host | Minimum-relevant slices to authorised cloud | Customer gateway only |
CTL-DAT-05 Model response | From on-device model | From authorised cloud model | From customer-gateway backend |
CTL-DAT-06 Telemetry | MUST be off | MAY be on (user-controlled) | MUST route through gateway or be off |
- The High Privacy toggle MUST be visible only in Agent mode. In Edit mode — whose scope is bounded to the current selection and which does not autonomously call the cloud — no separate toggle is exposed.
- When High Privacy is active, the input-box pill MUST show a lock indicator; the status bar SHOULD continuously surface the active privacy level.
- Any attempt to invoke a reachable cloud model while High Privacy is active MUST be denied. If the user has explicitly allow-listed certain cloud models, invocation MUST require an additional confirmation.
Hydite Agent runs inside the T1 boundary. This section defines its control family.
| ID | Control | Default policy |
|---|
| CTL-SBX-01 | Workspace read scope | Project root and descendants only |
| CTL-SBX-02 | Workspace write scope | Project root only; out-of-project writes MUST be explicitly prompted |
| CTL-SBX-03 | OS-sensitive paths | ~/.ssh, ~/.aws, keychains, etc. MUST require explicit allow-listing |
| CTL-SBX-04 | Project file denylist | Paths matching .hydite/agent-deny.glob MUST be denied for read/write |
| ID | Control | Default policy |
|---|
| CTL-SBX-05 | Working directory | Locked to project root by default |
| CTL-SBX-06 | Network from commands | MAY be globally disabled; MUST be disabled by default under High Privacy |
| CTL-SBX-07 | Resource limits | Subprocess wall-clock, CPU, memory SHOULD be subject to configurable caps |
| ID | Control | Default policy |
|---|
| CTL-NET-01 | Default egress | High Privacy: deny; other tiers: only authorised destinations |
| CTL-NET-02 | Inference egress | Only the destinations agreed for the active tier (on-device / authorised cloud / self-hosted gateway) |
| CTL-NET-03 | Client update channel | SHOULD be disable-able or proxy-able by enterprise admins |
| CTL-NET-04 | Third-party MCP egress | Same envelope as CTL-NET-01; MCP MUST NOT bypass the sandbox |
| ID | Control | Default policy |
|---|
| CTL-SBX-08 | Skill FS rights | Bounded by the parent Agent's T1 limits; cannot escape |
| CTL-SBX-09 | MCP resource allowlist | MUST be explicitly enabled per project by the user |
| CTL-SBX-10 | Skill / MCP egress | Bounded by CTL-NET-04 |
When Agent Hub runs multiple agents in parallel, each agent MUST execute in its own Git worktree (or temporary branch); writes MUST NOT directly land on the main branch and SHOULD pass a unified review before merging. Consequences:
- A single agent's failure or out-of-scope attempt MUST be confined to its worktree.
- Any agent's writes MAY be rolled back by deleting its worktree in one click.
- The current session MUST be in Agent mode.
- The user activates the toggle on the input-box bottom-left pill, and MUST clear an explicit confirmation panel.
- The confirmation panel MUST itemise: source-code egress, index egress, command network, Skill / MCP network, telemetry.
Once High Privacy is active:
- Source code MUST NOT leave the host. Any attempt to send file content, paths or metadata to a non-on-device model MUST be denied.
- The project semantic index MUST be built and queried by on-device models only. Index data MUST NOT appear in any outbound request body.
- Prompt context MUST be sent only to on-device models.
- Telemetry MUST be off.
- Network access from commands MUST be denied by default. The user MAY allow specific intranet destinations one rule at a time, but public-internet destinations MUST NOT be allowed.
Under High Privacy, inference is restricted to on-device models — including but not limited to:
- Local inference frameworks running directly on the client host.
- Private inference services reachable on the client's local network.
Any inference path pointing to the public internet MUST be disabled. If the user has registered specific cloud models in a permitted-list, invocation MUST trigger an extra confirmation before proceeding.
- The input-box pill MUST show a lock indicator, visible only while High Privacy is active.
- The status bar SHOULD display "Local-only" or a semantically equivalent badge.
- Exiting High Privacy MUST trigger an explicit prompt that explains the egress policy that will resume.
- Prompt context MUST pass through Context Hub's local retrieval phase and be reduced to the slices most relevant to the current request.
- Whole-directory scans or full-index snapshots MUST NOT be placed directly into prompt context.
- Cross-network transport MUST use authenticated, encrypted channels.
- The client MUST verify peer identity. When configured to use a customer-supplied gateway, the client MUST verify the customer-provided certificate or SPKI anchor.
The following items MUST be disable-able under Standard mode:
- Telemetry reporting.
- Client auto-update channel.
- Third-party Skill / MCP egress.
- Local response caching.
- The customer deploys a Hydite Vtslx AO gateway in their own VPC / intranet.
- The client MUST be configured to a customer-supplied gateway address; Hydite-controlled network nodes MUST NOT appear in the call chain.
- Model API keys and inference credentials MUST be held by the customer (in the gateway or a customer KMS).
- The client MUST support enterprise SSO and SHOULD reuse its session identity for gateway authentication.
- All cross-network requests MUST traverse the customer gateway, which SHOULD provide complete access logs.
- The client SHOULD support exporting a local activity summary that can be reconciled with the gateway logs for unified audit.
| Category | Examples | High Privacy | Standard | Self-Hosted |
|---|
| Crash reports | Stack, version, platform | Off | User can disable | Through gateway or off |
| Performance counters | Startup time, index time (no paths) | Off | User can disable | Through gateway or off |
| Usage counters | Mode-switch count, agent-launch count | Off | User can disable | Through gateway or off |
| Prompt / response | Model input and output | MUST be off | MUST NOT default to on | MUST go through gateway or be off |
- Any telemetry containing code snippets, file paths, prompts, or model responses MUST NOT be enabled by default.
- Default-enabled telemetry items MUST NOT contain fields from which code assets could be reconstructed.
| Verification target | Action | Expected result |
|---|
| Index location | Check .hydite/index/ in the project root | Index files exist locally with no remote-sync evidence |
| Network egress | Run a host packet sniffer (e.g. lsof -i, Little Snitch, tcpdump) | No public-internet inference traffic during High Privacy |
| Command network | Have the agent run curl https://example.com | Denied by sandbox under High Privacy |
| File over-read | Add *.pem to .hydite/agent-deny.glob, then have the agent read it | Read denied and recorded |
| Mode UI | Switch to High Privacy | Lock indicator visible on the input-box pill |
- The customer's network team MAY configure egress allow-listing for client clusters that only permits the self-hosted Vtslx AO gateway, and SHOULD observe no traffic to unexpected destinations.
- The customer gateway logs SHOULD reconcile, by request count, with locally exported activity summaries.
| Path | Purpose |
|---|
.hydite/index.ignore | Index denylist (.gitignore syntax) |
.hydite/index.include | Force-included paths for the index |
.hydite/agent-deny.glob | Denylist for Agent file read/write |
.hydite/index/ | Local index storage (recommended in .gitignore) |
| Command | Purpose |
|---|
Hydite: Toggle High Privacy Mode | Toggle High Privacy under Agent mode |
Hydite: Rebuild Project Index | Force-rebuild the local index |
Hydite: Open Privacy Scope Panel | Open the High Privacy scope confirmation panel |
Hydite: Export Local Activity Summary | Export a local activity summary for audit |
| Key | Meaning |
|---|
hydite.privacy.defaultMode | Default privacy mode at IDE start |
hydite.privacy.allowedCloudModels | Cloud models permitted under High Privacy |
hydite.telemetry.enabled | Whether basic telemetry is enabled |
hydite.network.allowedHosts | Egress allowlist for command execution |
For internal customer assessment, two conformance levels are defined:
- Baseline conformance: client default-enabled controls satisfy §5 and §9.
- Enterprise conformance: in addition to baseline, the deployment runs in Self-Hosted Enterprise mode and passes §8 and §10.2 self-verification.
This specification makes no claim of certification under any specific framework (e.g. SOC 2, ISO/IEC 27001, FedRAMP). When deploying in regulated industries, customers SHOULD treat this specification as one input to their compliance self-assessment alongside industry-specific requirements.
13. Revision history#
| Version | Scope |
|---|
| 1.0 | Initial publication: terminology, trust boundaries, three-tier formal matrix, sandbox control family, verifiable items |