Security architecture
Security isn't a feature.
It's the architecture.
Other tools bolt on safety after the fact. Salsa was designed from day one so that dangerous actions are structurally impossible — enforced by cryptography, not instructions.
Deterministic Semantic Protocol
DSP is Salsa's mathematical firewall. Every agent action — reading a file, calling an API, executing a command — must be encoded as a signed, deterministic frame before it can run. There is no way to express a dangerous action in the protocol. It's not blocked. It's unrepresentable.
Each DSP frame is 87–91 bytes: a 16-byte header, 3–7 bytes of intent bytecode, a 64-byte Ed25519 signature, and a CRC32 checksum. Every frame passes through five verification gates before execution is permitted.
Five verification gates
Every action. Five checks. No exceptions.
Before any agent-generated action executes, it must pass all five gates in sequence. Failure at any gate halts execution immediately. No fallback. No retry without re-signing.
Magic Gate
Validates the ATLS magic bytes. Rejects non-DSP traffic instantly. No parsing of unknown frames.
Version Gate
Confirms protocol version compatibility. Prevents downgrade attacks. Forward-compatible by design.
Codebook Gate
Verifies the intent is registered in the active codebook. Unregistered intents are structurally impossible to execute.
Epoch Gate
Checks temporal validity. Expired or future-dated frames are rejected. Prevents replay attacks.
Signature Gate
Ed25519 cryptographic verification. Proves the frame was signed by an authorized key. Tampered frames fail instantly.
Intent classification
Five risk tiers. Enforced by code.
Every action is classified into one of five intent tiers. Higher tiers require progressively stronger authorization. Catastrophic intents are cryptographically impossible to represent in the default codebook.
| Class | Byte | Description | Example | Gate |
|---|---|---|---|---|
| Query | 0x0X |
Read-only operations | List directory, read config | DSP signature |
| Mutate | 0x1X |
State-changing operations | Write file, create directory | DSP + QA review |
| Communicate | 0x2X |
External network calls | API calls, web fetch | DSP + sandbox |
| System | 0x3X |
System-level operations | Service restart, config change | DSP + admin approval |
| Catastrophic | 0x4X |
Destructive / irreversible | Delete volumes, drop databases | Unrepresentable |
VM sandbox isolation
Untrusted agent output never touches your machine.
Every autonomous agent action executes inside an isolated virtual machine. Not a container. Not a namespace. A full VM with its own kernel, its own filesystem, and a single communication channel back to the host.
Full kernel isolation
Apple Virtualization.framework provides hardware-enforced separation. Not a Docker container — a real VM with its own Linux kernel.
Single communication channel
The sandbox communicates only via VSock port 4100 using length-prefixed JSON. No shared filesystem. No network bridge. No escape routes.
Fail-closed by default
If the sandbox is unavailable, Salsa blocks the task and reports the error. It never falls back to executing on your host. Never.
Golden image
The sandbox boots from a read-only golden image. Every session starts clean. No persistent state. No accumulated attack surface.
CommandGuard
Governance is middleware, not a suggestion.
CommandGuard wraps every execution path in Salsa. It's not a prompt instruction telling the agent to "be careful." It's compiled Rust code that sits between intent and execution, enforcing DSP verification and GridPolicy rules before any action runs.
pub async fn execute(
&self,
intent: DspFrame,
) -> Result<ExecutionResult> {
// Gate 1: DSP cryptographic verification
self.verifier.verify(&intent)?;
// Gate 2: Policy enforcement
self.policy.check(&intent)?;
// Gate 3: Route to sandbox
self.sandbox.execute(intent).await
}Immutable audit trail
Every action. Every decision. Forever.
Salsa uses event sourcing — an append-only log where every state change is recorded as an immutable event. You can replay history, rebuild views, and trace exactly what happened, when, and why. Nothing is overwritten. Nothing is deleted.
Append-only
Events are written once and never modified. The log is the source of truth. Current state is a projection of the event history.
SQLite WAL
Write-Ahead Logging provides crash-safe durability on your local machine. No cloud dependency. No network latency.
CQRS architecture
Command/Query Responsibility Separation keeps write paths (commands) isolated from read paths (queries). Clean, auditable, testable.
Full replay
Rebuild any view from scratch by replaying the event log. Debug issues by stepping through the exact sequence of actions that led to any state.
Built in Rust
233,000+ lines of Rust.
Zero garbage collection.
Salsa is written entirely in Rust — the same language trusted by the teams behind Discord, Figma, Cloudflare, Dropbox, 1Password, and the Linux kernel itself. Memory safety guaranteed at compile time. No runtime overhead. No null pointer exceptions.
What those lines do
Trusted by the best in the industry
Rust isn't just another programming language. It's a compile-time guarantee that entire categories of bugs — buffer overflows, data races, use-after-free, null dereferences — simply cannot exist in your running software. That's why these companies chose it:
Discord
Rewrote their message infrastructure from Go to Rust. Eliminated latency spikes from garbage collection. Serves 200M+ users.
Figma
Uses Rust for their multiplayer engine. Real-time collaboration at scale with zero GC pauses or memory leaks.
Cloudflare
Built their HTTP proxy (Pingora) in Rust. Handles a significant percentage of all internet traffic. Memory-safe at the edge.
Dropbox
Rewrote their sync engine in Rust. Handles billions of files with predictable performance and zero runtime crashes.
1Password
Core cryptographic engine written in Rust. When your job is protecting secrets, memory safety isn't optional.
Linux Kernel
Rust is the first new language accepted into the Linux kernel in 30+ years. Linus Torvalds approved it for kernel modules.
The competitive moat
What competitors don't have
No sandbox
Claude Code and Cursor run agent-generated commands in your terminal. Devin runs in a cloud container you don't control. Salsa runs in a local VM you own.
No cryptographic verification
No competing tool cryptographically signs and verifies every action before execution. They rely on prompt instructions — which can be bypassed.
No audit trail
Session logs that disappear when you close the tab are not an audit trail. Salsa's event-sourced log is append-only and permanent.
No intent classification
Other tools treat all actions the same. Salsa classifies every intent into five risk tiers with progressively stronger gates.
No local-first guarantee
Most agent tools require your code and data to travel to their servers. Salsa runs on your Mac. Your data never leaves your machine.
Not built in Rust
Python, TypeScript, Go — languages with garbage collection, runtime exceptions, and undefined behavior. Salsa's 233K lines of Rust guarantee memory safety at compile time.
Security you can verify.
Request access to the Salsa beta and see the security architecture for yourself.