Security

Hyphen’s security model is structural. The runtime decides what an agent or workflow can do, how secrets are resolved, which outbound destinations are allowed, and when execution must stop.

Structural Permissioning

Agents can use only:

• action tools you declare explicitly
• workflow tools you declare explicitly
• the small set of built-in implicit tools the runtime injects automatically, such as __complete__ and __pause_for_human__

{
  "tools": [
    { "type": "action", "name": "lookup_ticket" },
    { "type": "action", "name": "gmail_send" }
  ]
}

With this declaration, the agent can look up tickets, send email, and use the built-in completion and pause primitives. It cannot access Slack, databases, or other workflows unless those capabilities were declared and resolved by the engine.

If the model hallucinates a tool call that is not in the resolved tool map, execution fails. This is enforced by the runtime, not by prompt wording alone.

Secret Handling

Secrets stored in org config are encrypted before storage and resolved only when a workflow or agent needs them at execution time.

Sensitive values are also redacted in key observability surfaces, including:

• agent reasoning traces
• selected logging paths
• selected error and audit outputs

That reduces the chance that credentials appear in stored traces or operational logs.

SSRF Protection

HTTP actions and agent-driven outbound requests are checked against outbound request policies that block:

• loopback addresses
• private network ranges
• cloud metadata endpoints

Requests to blocked destinations fail with an error instead of reaching internal infrastructure.

Prompt Injection Defense

Hyphen uses multiple layers of defense for ReAct-style agents:

Detection and warning injection. Incoming context is scanned for common prompt-injection patterns. When suspicious input is detected, the runtime adds a security warning to the agent context.

Immutable security suffix. The runtime appends a fixed security suffix to the system prompt telling the model to treat user-provided content as untrusted data, not instructions.

Structured response parsing. The engine expects a structured ReAct response shape. Invalid or malformed outputs are rejected and recorded as iteration failures.

Tool allowlist enforcement. Even if the model attempts an unauthorized action, the runtime still enforces the resolved tool map.

These controls reduce risk. They do not make prompt injection impossible, so human review and narrow tool scopes still matter.

Bounded Execution and Recursion Limits

Hyphen bounds autonomous execution in several ways:

• max_iterations limits how many reasoning steps an agent can take
• timeout_ms limits total run time
• on_stuck lets you choose how to handle repeated failures or no-progress loops
• workflow-trigger depth limits prevent recursive workflow chains from running indefinitely

These are runtime-enforced controls, not documentation conventions.

OAuth CSRF Protection

OAuth authorization uses signed state tokens with expiration. On callback, Hyphen validates the token before exchanging the authorization code.

That protects the OAuth handshake against tampering and cross-site request forgery.

Rate Limiting

Hyphen rate-limits several public entry points.

When a limit is exceeded, the request fails with 429 Too Many Requests. Gateway responses also include rate-limit headers for minute and daily budgets.

Security Checklist

When deploying Hyphen in production:

• store credentials in org config instead of hardcoding them into workflow definitions
• declare only the minimum tool set each agent needs
• set max_iterations, timeout_ms, and on_stuck deliberately for every agentic loop
• review reasoning traces and approvals for unexpected behavior patterns
• use human pauses or approvals for actions that should never be fully autonomous
• gate workflows with explicit conditions when they should run only in narrow circumstances

→ Next: Primitives — the built-in building blocks