> ## Documentation Index
> Fetch the complete documentation index at: https://docs.murmur.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Model

> How Murmur protects your credentials, isolates tenants, sandboxes agent VMs, and enforces trust boundaries between developers, agents, and orgs.

Murmur treats agent VMs as untrusted. Credentials are encrypted end-to-end, tenants are cryptographically isolated, and the platform enforces strict boundaries between what different components can access.

## Agent VM controls

A coding agent is exposed to the *lethal trifecta* — secret access, untrusted input, and network egress, all at once. Murmur gives you a control for each leg: scope what secrets an agent can reach, control who is allowed to steer it, and apply egress control through customer placements.

See [Agent VM controls](/security/agent-vm-controls).

## Authentication

Developers log in with GitHub. Tenant membership is derived from GitHub org membership — if you're in the org, you can access the tenant. Agents authenticate with short-lived identity tokens scoped to a single session.

See [Authentication](/security/authentication).

## Authorization

Org admins get full access by default. Org members can spawn and manage their own agents. For finer control, define [roles](/catalog/role), create [groups](/catalog/group), and bind them with [tenant-bindings](/catalog/tenant-binding).

See [Authorization](/security/authorization).

## Encryption

Developer credentials are encrypted at rest, re-sealed to each VM's ephemeral key before delivery, and decrypted only in process memory. Each tenant has its own KMS key. Secrets follow the same encryption lifecycle.

See [Encryption](/security/encryption).