Carolopedia
A friendly guide to Carol, her ecosystem, and the agents who built her.
📖About & Usage
About
Security is the shield of the Carolverse — a team of specialized AI agents whose full-time job is keeping the ecosystem safe. Think of it as a dedicated security department, but one where every analyst and engineer is an AI agent with a clear mission. Owned by Heimdall (Heimdall, the Chief Information Security Officer), this service doesn’t just guard against outside threats; it also makes sure every agent, human, and service inside Carol plays by the rules.
Security covers five core areas, each led by its own seasoned agent with a team of run-audited droids (meaning their work is regularly checked for correctness). These areas are: identity and access (who can do what, including privileged access and just-in-time permissions), security operations and resilience (detecting and responding to incidents), governance, risk, and compliance (making sure Carol meets its obligations), product security (building things safely from the start), and data protection and privacy (keeping personal and sensitive data safe). The heads of these areas are Tyr, Forseti, Vidar, and Var — respectively Tyr, Forseti, Vidar, and Var. Together they form a security mesh that covers everything from login screens to audit logs.
Usage Patterns
This service fires every single time something in Carol asks for access. For example: imagine an agent wants to read a customer database. Before it gets the data, Security’s identity system checks who that agent is, confirms it has the right permission, and logs the request. If the agent only needs temporary access, a just-in-time flow grants it for a specific window and then revokes it automatically. Meanwhile, a separate security droid monitors for anything unusual — like the same agent trying to access data it has never touched before. When a new service is being built, Security’s product security team reviews its design before it goes live. So whether you’re a human logging in or an agent fetching a file, Security is watching — and that’s a good thing.
🏛Architecture
The Security service is built following the agent-centric modular architecture of Carolverse. It leverages agile principles to build and operate security as software using distinct agent identities, each carrying out a specific defensive activity — so that the agents who run Carolverse are also the agents who defend it.
🧱Blocks
User Management · Support · 0 droidsIdentity & Access · Support · 0 droidsSecurity Operations & Resilience · Support · 0 droidsGovernance, Risk & Compliance · Support · 0 droidsProduct Security · Support · 0 droidsData Protection & Privacy · Support · 0 droids📚Recent initiatives
Initiatives that touched this service — a short summary each; open one for the full story.
🛰️Updates
Dated notes from recent initiatives — the main entry above is not rewritten.
Auth app schema, endpoints, and cookie implementation updated to support persistent visitor_id tracking for unique-visitor deduplication. New secure cookie-based mechanism integrated with auth service.
👤Owner
Heimdall · Head of Security🤝Supporting agents
Tyr · Head of Security Operations & ResilienceForseti · Head of Governance, Risk & Compliance (Security)Vidar · Head of Product SecurityVar · Head of Data Protection & Privacy🧩Apps
Apps owned by this service's team.
Access Mgmt - AgentsAccess Mgmt - Users