Please report vulnerabilities via private disclosure (create a private security advisory in the hosting forge, or email maintainers).

• Runner jobs are isolated in animus-runners with default-deny egress enforced by CNI.
• Runners have no upstream VCS credentials. All git operations go through internal git-proxy.
• Only allowlisted commands run in runners; no shell command execution.
• Only apply_patch may mutate the workspace.
• Proof Bundles and EventLog are produced for every job, including failures.

• Control plane: dispatcher, git-proxy, adapters.
• Data plane: runner jobs.
• Helm/k3s deployment templates.

• Protecting against a fully compromised cluster admin.
• Guaranteeing correctness of upstream dependencies.