Algol
ALGOL
Agent authority infrastructure · London · algol.cc
Run Proof Depth Authority Review
Algol · agent authority infrastructure

Start with one workflow.
See the authority path.

AI agents, CI/CD workflows, tools, secrets, and delivery systems are gaining authority faster than organisations can govern it. Algol maps how authority moves through real workflows and turns that into evidence security, platform, and audit teams can use.

Request Workflow Authority Review Try taudit free

One workflow → one authority path → one evidence pack

Fast path

Install it, scan a real workflow, inspect where authority crosses trust boundaries.

copy / run
cargo install taudit
taudit scan .github/workflows/
taudit map .github/workflows/quality.yml

Use a workflow file or directory. Terminal output is the default; JSON and SARIF are available with --format.

Workflow Authority Review · £2,500 starter review

Request a Workflow Authority Review.

One workflow. We map the authority path, identify what reached execution, and deliver an evidence pack your security, platform, and audit teams can use.

  • Authority path map
  • Risk-ranked findings
  • Trust boundary notes
  • Secret and identity exposure review
  • Evidence pack
  • Recommended next controls

taudit is free and open source. The review is the paid step — £2,500 starter review.

Request Workflow Authority Review

Email opens pre-filled. Paste taudit output or describe the workflow — we'll take it from there.

Request Workflow Authority Review Try taudit first
Contact hello@algol.cc crates.io/crates/taudit
Proof

Where authority moves.

This is the kind of output we care about: not only whether a secret exists, but which step, action, or identity can reach it across a pipeline boundary.

taudit scan · example
Workflow: .github/workflows/release.yml

Authority graph:
Steps: 16 | Secrets: 1 | Actions: 11 | Identities: 3

Critical:
GITHUB_TOKEN propagated to actions/download-artifact@v4 across a trust boundary

High:
publish token has broad scope: packages: write, id-token: write

Fix: reduce permissions or split the authority boundary
what this means
The workflow gives authority to a lower-trust step.

Known:
First-party build steps need release authority.

Unexpected:
Third-party or mutable steps can reach that authority.

That is the gap.
taudit does not ask you to trust a dashboard.
It gives you inspectable output you can read in the terminal, export as JSON, or ship as SARIF.
Request Workflow Authority Review Install from crates
What engineers notice when they run taudit
"Even after applying what would traditionally be considered secure pipeline practices — separating workflows, reducing permissions, pinning actions — there were still non-obvious authority paths that only became visible once the workflow was modeled explicitly.

The biggest shift for me was realising CI/CD security isn't just about detecting vulnerable components — it's about understanding how authority propagates across trust boundaries."
Saksham Goyal
Credibility
NVIDIA Inception

Accepted into the NVIDIA Inception programme for AI startups.

Innovate UK

Application submitted. Decision pending.

taudit · public

Open source. AGPL-3.0-or-later. Available on crates.io. GitHub Actions, Azure DevOps, GitLab CI.

Workflow Authority Review

Paid review service. One workflow scope. Evidence pack delivered.

What it is

Small tool. Sharp boundary.

What it does

Builds an authority graph from GitHub Actions workflow YAML.

What you get

Terminal output, JSON, SARIF, or CloudEvents JSONL.

Current scope

GitHub Actions authority: secrets, identities, actions, and trust zones.

How to start

Run locally against a workflow file or directory. No signup.

Run first Read the model
Technical depth

For people who want the model.

The short version: scanning tells you what exists. Pipeline authority tells you how access can move. That is where trust gets real.

Pipeline authority vs static scanning
Static scanning can find files, patterns, and risky strings. That is useful, but it does not explain how workflow authority propagates. taudit reads pipeline YAML offline and models which steps, actions, secrets, and identities can reach each other.
Current boundary
Current focus is GitHub Actions workflow authority. taudit is not a secret scanner, CVE scanner, policy engine, or runtime monitor. Narrow is deliberate: it keeps the result inspectable and honest.
Why this matters
A workflow can pass a secret scan and still pass authority through a trust boundary. That creates unnecessary blast radius. The first step is not pretending the whole pipeline is secure. The first step is seeing what authority actually moved.
Founders
Ryan Tilcock
Ryan Tilcock
Co-founder · Technical Founder · Algol
Ryan builds the authority infrastructure behind Algol: CI/CD authority mapping, process-scoped secret execution, controlled execution, agent and tool governance, and audit evidence systems.
github.com/0ryant 0ryant.com
Brigitta Makai
Brigitta Makai
Co-founder · Business, Strategy & Operations · Algol
Brigitta turns Algol's technical proof into buyer-readable strategy, commercial positioning, partnerships, operations, and go-to-market motion.
linkedin.com/in/brigitta-makai