Trust Model
Risoluto is designed for local, operator-controlled, high-trust environments. It runs on your machine or a VDS you control — there is no cloud service, no SaaS, and no shared infrastructure.Trust Layers
Three components form a chain of trust. Each layer controls a different decision boundary.| Layer | Component | Controls |
|---|---|---|
| 1 | Risoluto | When to launch work, which workspace the worker can access, resource limits, network policy |
| 2 | Codex | How to execute each turn — tool approvals, sandbox enforcement, MCP server access |
| 3 | Provider / Proxy | Where the model call is routed — backing account, rate limits, content policy |
Sandbox Policies
Thethread_sandbox setting controls what the Codex agent is allowed to do inside its container.
| Policy | Description | Risk level |
|---|---|---|
workspace-read | Read-only access to the workspace. No file writes, no shell commands. | Low |
workspace-write (default) | Read/write access scoped to the workspace directory. Shell commands allowed within the workspace. | Medium |
danger-full-access | Unrestricted filesystem and network access inside the container. | High |
Default Trust Posture
| Setting | Default value |
|---|---|
codex.approval_policy | "never" (auto-approve all tool calls) |
codex.thread_sandbox | "workspace-write" |
Docker Sandbox Boundary
Agents run inside Docker containers with configurable security hardening.| Property | How it works |
|---|---|
| Path identity | Workspace paths bind-mounted at the same absolute path |
| Auth preservation | Credentials injected into per-attempt runtime home |
| Host permissions | Container runs as --user $(id -u):$(id -g) — no ownership drift |
| Network | Default bridge (full internet) or restricted custom network |
Security Hardening
| Option | Config key | Default |
|---|---|---|
| No new privileges | codex.sandbox.security.noNewPrivileges | true |
| Drop capabilities | codex.sandbox.security.dropCapabilities | true |
| gVisor runtime | codex.sandbox.security.gvisor | false |
| Seccomp profile | codex.sandbox.security.seccompProfile | "" (Docker default) |
Egress Allowlist
Restrict outbound network access from agent containers:Credentials
| Credential | Source | Purpose |
|---|---|---|
| Linear API key | tracker.api_key (typically $LINEAR_API_KEY) | Poll and transition issues |
| Codex auth | API key or auth.json from codex.auth.source_home | Model API calls |
| GitHub PAT | Optional, via setup wizard or $GITHUB_TOKEN | PR creation |
secrets.enc) protected by the master key generated during setup. The master key never leaves your machine.
Provider Boundary
Risoluto supports three auth modes for connecting to the model provider:Direct API Key
Direct API Key
sk-...). Risoluto validates and encrypts it during setup.Custom Provider / Proxy
Custom Provider / Proxy
Codex Login (Browser Auth)
Codex Login (Browser Auth)
When running in Docker, containers cannot reach
127.0.0.1 on the host. Risoluto transparently rewrites host-bound URLs to host.docker.internal.Network Security
See the Network Security guide for bind address, write tokens, and rate limiting configuration.What’s Next
How It Works
Full architecture walkthrough — polling, workspaces, sandboxes, delivery.
Network Security
Bind address, write tokens, rate limiting, and TLS.
Custom Sandbox
Build a custom sandbox image with your own dependencies.
Configuration
Customize sandbox policies, auth modes, and security hardening.