Automation that respects your blast radius

Takuto runs AI agents on real repositories, so isolation is the default — not an afterthought. Here is exactly what contains a run, and what it does not.

Isolation

Each agent runs in its own container

Work is isolated per workflow: a separate container, a separate git worktree, and a separate environment. Ticket descriptions and linked content are untrusted input embedded in prompts, so containerisation limits what a hijacked agent session can touch — it reduces the prompt-injection blast radius rather than trusting the agent to behave.

Egress runs through an allowlist firewall

Outbound traffic is allowlisted by design: only a curated set of hosts is reachable; everything else is denied by default. The default list is wider than just your own tools — it also clears the package registries and developer-documentation sites a coding agent legitimately needs:

  • Your ticketing system — Jira / Atlassian (incl. developer.atlassian.com) or GitHub (incl. docs.github.com)
  • AI provider APIs — Claude, Codex (OpenAI) and Cursor are cleared out of the box for the providers you enable; OpenCode is self-hosted, so its base_url is cleared instead
  • Package registries — npm (plus your .npmrc), crates.io, docs.rs, nodejs.org
  • Common developer docs — rust-lang.org, MDN, Stack Overflow
  • AWS STS / SSO endpoints, for AWS-authenticated runs

The AI-provider hosts follow the providers you enable in available_providers — trim that list to narrow the firewall, or add your own hosts with extra_egress_hosts. Treat the firewall as one layer of defence-in-depth that shrinks the blast radius — not an absolute guarantee; it is still being hardened during beta.

Defence in depth, not a silver bullet

Isolation reduces risk; it does not eliminate it. Takuto expects a few defaults to be in place so a compromised run cannot do real damage:

Branch protection required

Agents push branches and open PRs — they never commit to main. Enforce branch protection at the Git host so it holds even if an agent misbehaves: require a human approving review before merge.

Scoped, least-privilege credentials

A hijacked agent can only reach what its credentials allow, so scope them tightly — for both your code and your tickets. Prefer a fine-grained GitHub PAT (or a GitHub App) limited to the target repository, and a dedicated Jira service account granted only Browse / Create / Assign on the target projects. Avoid broad OAuth logins and personal or admin tokens: they usually grant far more than a run needs, so a successful prompt injection could read or modify anything that credential can reach.

Untrusted-ticket framing

Ticket text is treated as user-supplied content that could try to override instructions. Branch protection and scoped tokens are the main defence against a malicious description.

Privacy by default

Takuto tracks nobody — on the product and on this website.

  • No usage analytics, no crash reporter, no phone-home, no telemetry.
  • Your code, ticket content, and prompts go only to the AI provider you configure — Takuto itself never collects them.
  • Containerisation means it runs on your machine or your own server: you own the deployment.