Security
Six independent security layers protecting the x0x1 pipeline: network isolation, one-way air-gap relay, bubblewrap sandbox, dual Anvil simulation, exploit cross-reference, and exact-amount approvals.
The Signing Flow isolates keys from the internet through physical device separation. This page covers the additional security layers that protect the networked machine where the AI agent, simulation, and research run.
Security layers
Each layer operates independently. Compromising one changes nothing about the others:
Sandbox architecture
The AI agent runs inside a bubblewrap (bwrap) sandbox — a lightweight Linux container that restricts filesystem access, network, and privileges without a full VM:
| Constraint | Implementation |
|---|---|
| Filesystem | Read-only except specific writable paths |
~/.ssh/ | Mounted as tmpfs — agent cannot access real SSH keys |
~/.gnupg/ | Blocked entirely |
| Sudo | Blocked by hook — no privilege escalation |
| Settings/hooks | Read-only bind mounts |
| Network | All external traffic through SOCKS5 + OpenSnitch monitoring |
Approval hygiene
Most DeFi frontends approve type(uint256).max, giving the contract permission to move
all your tokens indefinitely. If that contract is exploited months later, your entire balance
is drained. The pipeline scopes every approval to the exact amount needed.
After each transaction:
- Pipeline checks remaining approval -- leftover allowance is a liability
- Warns if approval exceeds the transacted amount
- User can trigger approval revocation manually
For automated risk scoring and portfolio monitoring, see the Risk Engine.