Security architecture and honest limits.

Vortalis does not detect an agent quietly drifting from its mandate across a long session. Reliable goal-drift detection is an open research problem, and the proxy decides individual actions at the boundary rather than scoring the trajectory those actions trace over time. The operator gets a complete per-session audit chain as forensic evidence, and sets the policy and kill-switch boundaries that cap how far any single action can reach, so a drifting agent is still constrained action by action even where the drift itself is not flagged.

Vortalis does not promise to defeat an adversary that models the proxy and adapts to it. A determined attacker can probe the denial surface and tune its behaviour against the responses it sees, and no static policy closes that gap completely. Vortalis raises the cost of the attack: denial reasons are sealed to the agent and visible only in the operator audit chain, and rate limits starve the attacker of the training signal it needs to fit the policy. The operator runs continuous detector retraining so the defence improves over time rather than standing still against a moving adversary.

Vortalis does not detect two agents coordinating through a neutral third service that records no delegation between them. The joint-action evaluator matches correlated actions across the recent per-tenant audit history, so where a prior delegated action appears in the window the second action can be denied, but coordination through shared mutable state on an unrelated system leaves nothing correlated for it to match. The operator constrains which shared services agents may touch, narrows the actions each agent is allowed at all, and reviews the per-agent audit chains for the activity that does surface.

Vortalis does not contain a superintelligent agent, and a runtime governance proxy is the wrong layer to claim it could. What the proxy provides stays meaningful against a far more capable agent: forensic evidence of every action, authority termination through scoped kill switches, and a cryptographically attested audit chain. The operator treats these as forensics and revocation, not containment, and keeps containment-grade controls at the model and infrastructure layers.

Vortalis does not catch an instruction hidden in an image or audio input that text-only inspection cannot see. That is a model-capability problem, and it is decided before the agent reaches the proxy boundary. An agent's declared input modes are published on its AGAP™ agent card, but Vortalis does not inspect payloads for off-mode content, so the defence against the injection itself belongs at the model-provider layer, which the operator owns alongside the proxy.

Vortalis does not observe or prevent a compromise of the underlying model provider or its weights. The proxy's scope begins at the agent's first boundary call, downstream of where the model is served, so a tampered model or a breached provider is outside what a runtime governance proxy can see. An operator whose threat model includes the model provider adds controls at that boundary (separate signing keys, dedicated inference infrastructure, and attested model artefacts) alongside Vortalis, not within it.

Vortalis ships fully implemented adapter code across financial markets, healthcare, legal, and agentic commerce, each with a credential validator and the same pre-policy and audit-chain enforcement as every other adapter, but it does not ship the counterparty certification from the operator of the production network. Routing real settlement, clinical, trading, or legal traffic through one of these adapters requires the conformance, certification, and onboarding work specific to that network, which only the deployer can complete with the counterparty. The adapter handles the protocol; the operator completes the regulator-facing certification.

For the few milliseconds between credential decryption and the tokenisation step on the return path, the proxy holds cleartext credentials and cleartext upstream response data in process memory. This is structural, not accidental: the adapter needs real credentials to call the upstream API and real response data to apply the tokenisation rules. An operator whose threat model includes Vortalis itself runs the proxy inside confidential computing or enclave-based adapter execution on top of Vortalis, not within it. We state this boundary plainly rather than imply the data is never in the clear.

Every adapter receives a dict of parameters plus decrypted credentials, calls the upstream API, and returns a dict, with no database access, no side state, and no shared module-level mutable state. This is load-bearing for the claim that every action is decided by policy before it executes; stateful adapters would open paths where a decision is made before partial state from a prior call has settled, which would quietly undermine the very property the audit chain attests to. Use cases that need remember-this-for-next-time semantics are served by per-tenant configuration in the control plane, which the operator owns and which is itself governed, not by adapter-local state that no policy can see.