Technical Deep Dive

Security Architecture

This document provides complete technical detail on every layer of the AgencyBoxx security architecture. It is intended for CTOs, security teams, and technical evaluators who need to understand exactly how the system protects agency data, client isolation, and operational integrity.

Network Architecture

The machine running your AI agents has no public ports, no open SSH, and no externally routable IP address.

Tailscale Mesh VPN

Every connection is encrypted end-to-end and authenticated by device identity. There is no VPN concentrator to compromise. The mesh topology means no single point of failure. Access from anywhere without opening ports or configuring a traditional VPN.

macOS PF Firewall

A second layer of defense at the packet filter level. Even if Tailscale were bypassed, the firewall blocks all inbound connections that do not originate from the Tailscale network.

SSH Lockdown

Access restricted exclusively to Tailscale IP addresses. Password authentication is disabled. Only key-based authentication is accepted.

The Result

There is no attack surface to scan, no port to probe, and no login page to brute-force. The machine is invisible to the public internet.

Agent Permission Matrix

Security defaults to least privilege. Every expansion of permissions is intentional and documented.

AI Gateway

Read: Slack, ClickUp, Drive, Front, Calendar, HubSpot
Write: Slack messages, orchestration
Approval: Cross-agent coordination
Restrictions: Cannot merge client contexts

Knowledge Base Agent

Read: All knowledge sources, project data, all Slack channels
Write: None
Approval: None required
Restrictions: Blocks queries about compensation, HR, personal comms

Executive Assistant Agent

Read: Gmail, Calendar, Slack, Knowledge Base
Write: Email drafts, Slack messages
Approval: All outbound emails
Restrictions: Draft must pass blocklist scanner

Client Experience Agent

Read: Front inboxes, ClickUp, Knowledge Base, email history
Write: Email drafts, Slack reports
Approval: All client email replies
Restrictions: Drafts pass blocklist scanner, correction loop active

Delivery & Compliance Agent

Read: ClickUp tasks and time entries
Write: Slack reminders and reports
Approval: None required
Restrictions: Zero LLM cost. Pure Python automation. No AI model access.

BDR Agent

Read: Hunter.io, ZeroBounce, HubSpot directory
Write: Airtable records, Slack reports
Approval: All outbound messages
Restrictions: CEO approval gate on any external communication

Security Agent

Read: All configs, logs, file permissions, ports, dependencies
Write: Permission fixes, config corrections, remediation scripts
Approval: None required
Restrictions: Cannot modify application code. Allowlisted commands only. Dangerous operations blocked.

Operations Intelligence Agent

Read: Service health, cron schedules, disk usage, credentials expiry
Write: Upkeep task execution, Slack reports
Approval: None required
Restrictions: AI-gated execution with safety checks. Cannot modify security configs.

Content Publishing Agent

Read: Meeting transcripts, brand voice profiles, content calendar
Write: Blog drafts, LinkedIn drafts, Slack reports
Approval: All published content
Restrictions: Draft must pass brand voice validation and human review

Client Data Isolation

Every client gets a unique code that enforces data boundaries across every platform at the database level, not through prompt instructions.

ABC

XYZ

QRS

MRD

Agent Query
ABC only

+ Global Knowledge (HubSpot docs, best practices)

Universal Client Code System

Every client is assigned a unique code that tags their data across every platform: ClickUp spaces, Google Drive folders, email tags, Airtable records, and RAG knowledge base namespaces. This code is the primary key for data isolation at every layer.

Three-Database Separation

The knowledge system uses three separate database tiers to enforce access control at the database boundary:

  • Public Knowledge: HubSpot documentation, general best practices (accessible to all queries)
  • Internal Agency Knowledge: SOPs, team docs, operational playbooks (accessible to internal queries only)
  • Client-Specific Knowledge: Emails, meeting transcripts, project history (accessible only when the matching client code is active)

Cross-Agent Rules

No client data is shared between agents except through explicit, logged handoffs. The orchestrator agent coordinates workflows but does not merge client contexts. All data access is logged with the client code attached, making unauthorized cross-contamination both preventable and detectable.

Multi-Instance Isolation

The system runs across three separate macOS user accounts on the same hardware, each with its own process space and file permissions. A shared group grants controlled read-only access to common databases. Cross-instance file exchange uses a permission-locked dropbox directory. No instance can write to another's data directly.

Blocked Knowledge Sources

When drafting client-facing content, the system is explicitly blocked from querying internal agency knowledge and other sources that could cause identity leaks. Only safe sources are queried: HubSpot documentation, the specific client's own email history, and meeting transcripts filtered by client.

Identity Protection

AI-generated communications must never reveal your agency's internal operations, that AI was involved, or that any other client exists.

Identity Injection

Every draft generation prompt includes a mandatory identity block. The AI is instructed that it is a team member at the specific client's agency, writing in their voice. Your agency name does not exist in its vocabulary. It cannot reference internal domains, tools, channels, team members, other clients, or the fact that it is an AI system.

The Blocklist Scanner

After every draft is generated, it passes through a hard-gate blocklist scanner before it can be posted to Slack or sent to a client. The scanner checks against 60+ blocked terms: your agency name, internal domain names, AI system names, agent names, and the full list of all client codes.

If any match is detected, the draft is blocked entirely. It is not posted. It is not sent. A violation alert goes to the emergency channel. There is no override mechanism.

This is a hard gate by design. The cost of a false positive (a delayed response) is dramatically lower than the cost of a false negative (an identity leak to a client).

Draft Scan

Hi Sarah, thanks for the update on the Q2 timeline. We have reviewed the revised schedule and the adjusted launch dates work for our team.

Self-Healing Infrastructure

50+ services monitored across three isolated instances. When something breaks, the system fixes itself before you notice.

Watchdog Service

A dedicated monitor checks all 50+ services continuously. When a service fails consecutive health checks, the watchdog auto-restarts it. If the restart fails, an alert escalates to the critical channel.

Stale Connection Detection

Monitors Slack WebSocket connections and detects duplicate or stale connections that cause message routing issues. Auto-restarts the gateway when anomalies are detected.

Scheduled Job Monitoring

Tracks whether all cron jobs ran on time and completed successfully. Missing or late jobs trigger alerts.

Critical Escalation

If the main gateway is down for 10+ continuous minutes, or if 3+ services are simultaneously down, the system escalates to the dedicated critical alert channel.

Boot Recovery

All services use macOS LaunchAgents with KeepAlive and RunAtLoad settings. If the machine reboots (power outage, update), every service comes back automatically. Each LaunchAgent pins a specific Python version to prevent breakage from system updates.

Daily Encrypted Backup

Every database and knowledge base is backed up daily to Google Drive using chunked resumable uploads with exponential backoff. Failed uploads retry automatically. Backup failures alert to the critical channel. Combined with nightly git snapshots, the system can be restored to any previous day's state.

Service Health

Last checked: 47s ago
AI Gateway
Healthy
Email Poller
Healthy
Draft Service
Restarting...
Slack Monitor
Healthy
Front Monitor
Healthy
Email Draft Agent
Healthy
Time Tracking
Healthy
Meeting Intel
Healthy
Security Agent
Healthy
Upkeep Brain
Healthy
Watchdog
Healthy
Cron Dispatcher
Healthy

Alert System

A dedicated alert channel surfaces the most important signals across all agents, all services, and all clients.

Client Risk

critical

Cancellation language detected in emails, upset client sentiment in meeting transcripts, SLA breaches

Security Violations

critical

Blocklist matches, cross-client data references in drafts

Operational Failures

critical

Gateway down 10+ minutes, 3+ services simultaneously down, crash-looping services

Revenue Signals

high

Stalled deliverables, unmatched meeting promises, inbound quote or proposal requests

Team Concerns

high

Employee workload or morale concerns detected in meeting transcripts, unanswered CEO mentions after 2+ hours

SLA Escalations

high

Progressive alerts at 4, 6, 7, and 8 hour thresholds with escalating urgency

30-minute deduplication prevents alert fatigue. 27 services feed into the alert system. Graceful fallback ensures that if the alert system itself is unavailable, all calling services continue running normally.

Autonomous Security Agent

A dedicated AI security agent monitors the entire infrastructure around the clock, diagnoses issues, and fixes them automatically with safety guardrails at every step.

Six Continuous Security Checks

Every 120 seconds, the security agent validates file permissions on all credential-bearing files, scans for unexpected open ports, checks service logs for credential leaks and prompt injection attempts, verifies configuration integrity, detects configuration drift via SHA-256 baselines, and monitors log health across all services.

Weekly Deep Audit

Every Sunday at 4 AM, a comprehensive audit adds four additional checks: RAG access control verification, cross-instance database permissions, dependency vulnerability scanning via pip-audit and npm audit, and threat intelligence feed monitoring. A full report with AI-generated risk scoring is produced automatically.

AI-Powered Self-Healing

When the security agent finds an issue it cannot auto-fix with standard rules, it escalates to a five-stage AI diagnostics pipeline: gather context, distill with a fast model, diagnose with a reasoning model, execute the fix with safety guardrails, and verify the result. Dangerous commands are blocked by an explicit allowlist and blocklist system.

Cross-Instance Remediation

Fixes propagate securely across all three system instances through a permission-locked dropbox mechanism. Each instance runs a remediation watcher that validates, executes, and logs approved fix scripts with timeout protection.

Learned Fix Database

Successful fixes are persisted and reused when the same issue recurs. The security agent gets smarter over time, resolving known issues instantly without invoking AI diagnostics again.

Log Integrity Monitoring

SHA-256 hash chains track every service log file for evidence of tampering or truncation. Stale services (no log writes in over an hour for always-active processes) trigger alerts. 28 service log directories are monitored continuously.

Audit Trail and Code Quality

Complete Audit Trail

JSONL Action Logs Every service records timestamp, message ID, sender, action type, rule matched, label applied, priority, confidence score, and outcome.
Write Safety Log writes protected by file locking with 10-second retry timeout. No data corruption from concurrent processes.
Log Rotation Rotating file handlers (5 MB per file, 3 backups) prevent unbounded disk growth. Nightly cleanup deletes temp logs older than 30 days.
Version Control Daily auto-commit at 11:30 PM captures the full state of all non-secret files to a private GitHub repository. Roll back to any previous day's state.

Code Quality as Security

Zero bare except clauses in production code. Every exception handler catches specific types.
Explicit timeouts on all external API calls (10 to 30 seconds). No call hangs indefinitely.
Parameterized SQL queries throughout. Formal audit identified and fixed all injection patterns.
Atomic file writes using the tmp-plus-rename pattern. No corruption from interrupted writes.
Formal code audits with documented, repeatable process. All critical issues resolved across multiple fix sessions.

Threat Mitigation

Not theoretical risks. These are documented attack vectors and failure modes in the AI agent ecosystem.

Prompt Injection

Risk

Client emails, meeting transcripts, and ingested content could contain adversarial instructions designed to manipulate AI behavior.

Mitigation

A dedicated 7-category sanitization engine strips adversarial content from all untrusted input before it enters any LLM prompt. It detects instruction overrides, role markers, XML boundary injection, jailbreak patterns, role spoofing, and unicode control character attacks. Deployed across every service that processes external text. The human approval gate provides a second layer of defense on all outbound content.

Supply Chain Attacks

Risk

AI agent ecosystems face supply chain risks from malicious community-contributed skills and compromised dependencies.

Mitigation

All third-party skills are manually reviewed before installation. VirusTotal checks run on skill packages. The system operates in whitelist mode: only explicitly approved skills are loaded. No auto-install of community packages. Weekly dependency vulnerability scanning via pip-audit and npm audit catches known CVEs in existing packages.

Excessive Agency

Risk

The OWASP Agentic AI guidelines identify this as a primary failure mode: an AI system taking actions beyond its intended scope.

Mitigation

The trust escalation model, tool permission matrix, and human approval framework are direct mitigations. Agents cannot expand their own permissions. Every new capability follows a defined deployment process with a supervised trial period.

Inbound Defense

Every piece of external content passes through multiple detection layers before it reaches any AI model or workflow.

Prompt Injection Sanitization

A dedicated 7-category sanitization engine processes all untrusted input before it enters any LLM prompt. It detects and strips instruction overrides, role markers, XML boundary injection, jailbreak patterns, role spoofing lines, and unicode control character attacks. The sanitizer never raises exceptions: it logs warnings and returns cleaned text. Deployed across every service that processes external text.

Phishing Detection

Inbound emails are scanned for brand spoofing, display name impersonation, leet-speak evasion (such as 'B1lling' for 'Billing'), and homoglyph typosquatting (such as 'paypa1.com' for 'paypal.com') across 80+ brand domain mappings. Detected phishing attempts are flagged and quarantined before any agent processes them.

Spam Detection

A scoring engine with 100+ safe domain allowlists, keyword pattern matching, SDR outreach detection, and sender reputation analysis filters spam before it enters agent workflows. Business-critical emails from known senders are never blocked.

sanitize_for_prompt()

Credential Management

Credentials are treated as high-value targets at every layer.

File Permissions

All credential-bearing files set to chmod 600 (owner read/write only). No credential file is world-readable. All service plists locked to mode 600.

No Hardcoded Keys

All API keys externalized to configuration files. Source code loads secrets at runtime via dedicated loader functions. Zero inline API keys in production files, validated through formal security audit.

Git Prevention

Comprehensive .gitignore blocks all auth files, credential configs, and backup files. Git history scrubbed with git filter-repo to remove any previously committed secrets from every historical commit.

Centralized Config

A single configuration file (permissions 600) serves as the source of truth for primary credentials. Service-specific configs stored separately, each gitignored and permission-locked. Compromise of one service does not expose others.

Credential Audit

Formal audit documents every credential: where stored, what scopes it has, minimum required scopes, and remediation needed. All actionable items resolved including over-scoped OAuth permissions.

See the Full Architecture Running Live

We do not send a PDF. We show you the production system, the Slack channels, the approval flows, the audit logs, and every security layer described in this document. On a live call.

Every claim in this document is verifiable in the live system.