Roadmap items (in flight or next up)
AI context scrubbing
What’s missing. When a procedure substitutes{{password}} or {{api_token}} into a prompt that goes to Bedrock, that plaintext enters the model context for that call. The pre-send redaction catches inadvertent leaks — Authorization headers in pasted terminal output, token patterns in attached logs — but a deliberate procedure substitution is, today, not scrubbed.
Why it matters. Bedrock’s contractual terms with Anthropic for inference traffic prohibit training on the data, but the data still enters the model context for the duration of the call. For organizations with the strictest posture, “the secret leaves the device” is the boundary that matters.
What’s being built. A procedure-runtime indirection layer that substitutes a reference into the prompt and resolves the reference at the tool-call boundary, so the model sees {{credentialRef:core-admin}} and the tool call receives the unwrapped secret — the same pattern used today for interactive tool calls.
Interim guidance. For procedures that authenticate to external APIs via substituted secrets, authenticate at the tool-call layer (the credentialRef mechanism) instead of via prompt substitution wherever possible. This is already the default for the built-in SSH, RDP, connector, and MCP tools.
Decryption audit
What’s missing. Every decrypt call carries apurpose: DecryptPurpose parameter, and the Go sidecar already applies additional authenticated data (AAD) binding decrypts to record and purpose. The structured emission of (purpose, recordId, userId, timestamp) events into a per-organization audit log is the next iteration.
Why it matters. Until this lands, decrypt events are observable at the AWS CloudTrail layer (KMS:Decrypt calls against the org CMK) but not at the application layer. CloudTrail answers “did a decrypt happen” but not “which record, for which purpose”.
What’s being built. A dedicated DynamoDB audit table with per-decrypt events, partitioned by organization and queryable by record, user, and time. Retention configured at the organization level.
Interim guidance. Use AWS CloudTrail for KMS audit; use the application’s procedure run history for per-run decrypt purpose (procedure runs record which credentials they unwrapped). Organizations with strict audit requirements can query CloudTrail directly today.
Cross-organization audit explorer
What’s missing. The in-app audit surface is per-conversation today. A central “show me every tool call everyone in my organization ran this week” view is not built in. What’s being built. An organization-scoped audit view that composes application audit, approval decisions, and CloudTrail for KMS events into one surface. Admin-only by default. Interim guidance. AWS CloudTrail (or CloudTrail Lake) is the cross-organization answer today. Individual procedure run transcripts and conversation transcripts are shareable as artifacts.Device-side plaintext minimization
What’s missing. Today, the decrypted plaintext of a record (Keychain entry, connector auth, procedure body) is materialized in the Electron renderer process when the record is loaded for display or editing. Plaintext is then observable in the React state tree for the life of the component. Why it matters. An endpoint-level attacker who executes code in the renderer process has the same observation window as “everything you currently have open.” Today that window is “whenever you’ve viewed the record this session”; after the refactor it will be “only at the exact moment of use.” What’s being built. A decrypt-on-demand refactor where plaintext is unwrapped at the point of use (the moment a terminal authenticates, the moment a connector request signs, the moment a procedure runs) and discarded immediately after. TheDecryptPurpose parameter is the infrastructure for this; the next step is moving every consumer off load-time decryption.
Interim guidance. Lock the desktop session when walking away. EDR and signed-process policies are the right device-level controls.
Data residency beyond us-east-1
What’s missing. Studio is single-tenant SaaS hosted entirely in Altostrat’s AWS account inus-east-1. There is no per-customer deployment, no self-host option, no region selector. Organizations whose data residency requirements forbid us-east-1 cannot use Studio in its current form.
What’s being evaluated. Multi-region availability — adding a second AWS region for tenants with EU or APAC residency requirements. This is a significant build (Bedrock model availability differs by region, KMS keys and DEKs cannot move across regions, all the integration tests have to be re-run against the new endpoints) and we’re not committing a date.
Interim guidance. If us-east-1 residency conflicts with your requirements, talk to us early. We’d rather have the conversation up front than have it during a procurement review.
Encrypted organizational metadata
What’s missing. Hostnames, display names, folder structure, and ownership rows are intentionally plaintext server-side (see vault and keys). They are not secrets but they are sensitive metadata. What’s the plan. A searchable-encryption design to selectively encrypt categories of metadata where the search/sort cost is acceptable. This is research-grade work, not a near-term roadmap item — listed here for transparency, not as a commitment. Interim guidance. Treat display names and folder labels as information that does not need to embed sensitive content. Use memories and encrypted fields for the sensitive material.Out of scope (by design)
These are limits we do not intend to resolve — not because they are unimportant, but because the fix would break something else or because the responsibility belongs elsewhere.| Limit | Why it’s out of scope |
|---|---|
| Device-while-unlocked compromise. Code running in the signed-in Electron process can observe plaintext keys and data in transit. | The desktop process is the trust boundary. If an attacker runs code on your unlocked workstation, they have already won; cryptography downstream is moot. Endpoint security (EDR, signed software policies, screen locks) is the right control. |
| Operator making a bad approval. An operator who clicks “approve” on a dangerous tool call without reading it is unsafe regardless of our gate. | The gate’s job is to make the consequence visible. Operator discipline is operator discipline. |
| Two operators colluding. Two people with the right roles can agree to do something they shouldn’t. | Audit history, separation-of-duties policy, and HR processes are the right controls. |
| MCP server behavior beyond the approval gate. A hostile MCP can propose tool calls; its responses can include prompt-injection payloads. | The gate is the enforcement point. Admin curation of the connector and MCP catalog is the other control. We cannot enforce arbitrary safety properties on code we don’t run. |
| Carrier or transit metadata leakage. TLS protects content; timing, volume, and metadata leak. | Standard for any cloud-connected software. |
| Quantum-capable adversaries. Current ciphers are not post-quantum. | AWS’s published roadmap will move us when post-quantum KMS becomes operationally available. |
The update-channel trust question
Studio self-updates through electron-updater. Code signing and SHA-512 verification protect the update channel, but the channel itself is a channel. An organization that does not want self-update can disable it at the OS deployment level (MDM policy, group policy) and manage Studio updates through normal software distribution. This is supported; it is not the default because the cost-benefit for most users favors timely security updates.How to read this page
Don’t treat roadmap items as commitments with dates. They are priorities. They move. When one lands, it leaves this page. When a new limit emerges, it lands here. Weight the out-of-scope items heavily. They will not change. If an out-of-scope limit is incompatible with your environment, the rest of Studio’s safety story does not compensate. Be suspicious of any vendor who has no page like this one. Every security architecture has limits. A vendor who does not describe theirs has not done the work or is not being honest about it.Related
Threat model
The actors and defenses these limits sit next to.
Vault and keys
The cryptographic core that most of these roadmap items extend.