Protocol
DEFINITION
Define container policy in the Safety Runtime. Build Dockerfile.safe, run non-root, and stage source for deterministic execution.
DEPLOYMENT
Deploy agents with secure run logic. Drop capabilities, cap memory, mount temp data, enforce read-only filesystems.
INTERCEPTION
Proxy interceptor inspects every request at the air lock. Allowlisted domains pass; unknown hosts are denied.
ENFORCEMENT
Wire traffic through the proxy. POST content is audited; sensitive terms trigger cognitive blocks instantly.
AUDIT
Simulation mode redirects high-risk endpoints to controlled mocks. Teams test dangerous workflows safely without touching live infrastructure.