Intergrax is under active private R&D. Security fixes are applied to the current main branch only.
| Version | Supported |
|---|---|
main (latest) |
Yes |
| Older commits / tags | Best effort |
Do not open a public GitHub issue for security vulnerabilities.
| Channel | Details |
|---|---|
| jakbu.czarnecki.83@gmail.com | |
| Subject | [Intergrax Security] brief description |
- Description of the vulnerability and potential impact
- Steps to reproduce (proof of concept if available)
- Affected component (Nexus runtime, integration, tool, application, …)
- Suggested fix or mitigation (if known)
- Your contact information for follow-up
| Stage | Target |
|---|---|
| Acknowledgment | Within 5 business days |
| Initial assessment | Within 10 business days |
| Fix or mitigation plan | Depends on severity |
We will coordinate disclosure timing with you. Credit will be given if desired and appropriate.
Intergrax implements security as a control plane within the Harness AI platform. Canonical references:
| Topic | Document |
|---|---|
| Policy engine | docs/intergrax_runtime_architecture.md §42.11 |
| Security control plane | docs/guides/AGENT_CREATION_GUIDE.md Appendix S |
| Production hardening | docs/intergrax_runtime_architecture.md Phase U |
| Harness audit (security layers) | docs/guides/INTEGRAX_HARNESS_AUDIT_MAP.md |
- PolicyEngine — pre-run, pre-tool, post-tool governance hooks
- ToolRuntime — unified tool gateway with policy, trace, and idempotency
- Tier boundaries — agents cannot bypass Nexus to access integrations directly
- Human-in-the-loop (HITL) — governance gates for sensitive operations
- Trace & audit — observability for security-relevant events
- Cost governance — budget controls for LLM and tool usage
- Never commit API keys, tokens, passwords, or
.envfiles - Use environment variables — see integration docs in docs/architecture/INTEGRATIONS.md
- Rotate credentials if accidentally exposed
- Dependencies managed via
uv/pyproject.toml - Report supply-chain concerns to the security email above
- New tools must go through
ToolRuntimewith policy hooks - Do not bypass
PolicyEnginefor convenience - Follow docs/guides/AGENT_CREATION_GUIDE.md Appendix S for security wiring
- Local Docker backends: infra/README.md — do not expose to public networks in development
- Lab harness presets: docs/guides/HARNESS_ENVIRONMENT.md
- Nexus runtime (
intergrax/runtime/) - ToolRuntime and PolicyEngine
- Integration connectors (
intergrax/integrations/) - Tool and skill execution paths
- Application hosts (
applications/) - Authentication/authorization in application APIs
- Data handling in RAG and memory subsystems
- Third-party LLM provider security (report to the provider)
- User-deployed infrastructure misconfiguration
- Social engineering
- Denial of service against public endpoints not operated by the project
Intergrax is proprietary software. See LICENSE. Security reports are handled confidentially.