Skip to main content

Documentation Index

Fetch the complete documentation index at: https://curia.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Every message that enters Curia passes through multiple governance layers before any action is taken. Each layer adds a different kind of protection, and they compose — a message must satisfy every layer to result in an action. No single layer is the “security layer”; security is the cumulative effect of all five working together.

Layer-by-layer governance

Layer 1: Channel trust

Each channel declares a trust level based on the strength of its identity guarantees:
ChannelTrust levelReasoning
CLIHighLocal access, no network exposure
SignalHighPhone number + end-to-end encryption
HTTP APIMediumBearer token authentication
EmailLowEmail addresses are easily spoofed
The channel trust level is the first input to the dispatch layer’s trust scoring calculation. A message from a high-trust channel starts with an advantage; a message from email starts at a deficit and must compensate through sender identity.

Layer 2: Dispatch policy

The Dispatch layer applies several policy gates before a message reaches any agent: Trust scoring — each inbound message receives a composite trust score based on three weighted factors:
FactorDefault weightWhat it measures
Channel trust0.4How trustworthy the channel is (from Layer 1)
Contact confidence0.4How well Curia knows the sender (confirmed, provisional, or unknown)
Injection risk penalty0.2 maxWhether prompt injection patterns were detected
Messages below the trust score floor (default: 0.2) are held regardless of channel policy. Rate limiting — global and per-sender rate limits protect against flooding. Excess messages are dropped silently and audit-logged. Prompt injection scanning — inbound messages are checked against built-in and configurable injection patterns. Detected injection risk reduces the trust score.

Layer 3: Agent autonomy

The Coordinator agent receives the task with the current autonomy score injected into its system prompt. The score maps to one of five bands that determine how independently the agent can act:
BandScore rangeBehavior
Full90–100Proceeds on standard operations without confirmation
Spot-check80–89Proceeds on routine tasks, notes consequential actions
Approval Required70–79Presents a plan and asks before any consequential action
Draft Only60–69Prepares drafts but does not send without explicit go-ahead
Restricted< 60Advisory only, takes no independent action
This is a behavioral governance layer — the agent self-governs based on the band description. The autonomy score applies uniformly across all agents, channels, and skills.

Layer 4: Skill action risk

Every skill declares an action_risk level in its manifest, establishing the minimum autonomy score required to execute it:
action_riskMinimum scoreExamples
none0Web search, reading email
low60Writing to memory, updating contacts
medium70Sending email, sending Signal messages
high80Creating calendar events, making commitments
critical90Financial actions, irreversible operations
If the current autonomy score is below the skill’s declared floor, the execution layer blocks the invocation. This is a hard gate — unlike the autonomy band (which guides agent behavior through the prompt), skill gating is enforced architecturally.

Layer 5: Outbound safety

Before a response leaves through any channel, the outbound safety pipeline applies:
  • PII redaction — sensitive data (email addresses, phone numbers, credit card numbers, SSNs, plus custom patterns) is replaced with labelled tokens like [REDACTED: CREDIT_CARD]. Redaction policies are configurable per channel — some channels may allow phone numbers through while redacting credit cards.
  • Content filtering — deterministic rules prevent certain classes of content from being sent (display name sanitization, caller verification). An LLM-as-judge gateway for content review is planned.

How the layers compose

Consider a message arriving via email from an unknown sender, with the autonomy score at 75:
  1. Channel trust: Email = low trust (0.3)
  2. Dispatch policy: Unknown sender = low contact confidence. Trust score falls below floor → message is held for CEO review. Flow stops here.
Now consider the same message arriving via Signal from a confirmed contact:
  1. Channel trust: Signal = high trust (1.0)
  2. Dispatch policy: Confirmed contact = high confidence. Trust score passes. Rate limits pass. No injection detected. Message proceeds.
  3. Agent autonomy: Score 75 = Approval Required. Agent will present a plan before any consequential action.
  4. Skill action risk: Agent wants to send an email reply (action_risk: medium, min score 70). Score 75 >= 70 → skill executes.
  5. Outbound safety: Email reply passes through PII redaction per email channel policy before sending.
The system is designed so that each layer can be reasoned about independently, but their composition provides defense in depth. Removing any single layer would leave a category of risk unaddressed.

Architecture

The five-layer architecture and message bus pattern in detail.

Autonomy

How the 0–100 autonomy score controls Curia’s independence level.