Morpheus is built for organisations that need control, auditability, and deployment flexibility. Standard deployments use secure, trusted cloud model APIs. Dedicated and private deployments are available for organisations with stricter data requirements.
Credentials are encrypted, tool activity is logged, and dedicated/private deployments are available for organisations that require stricter data control.
Infrastructure credentials, API keys, and BYOK keys are stored securely. They are never shown back in the UI after saving and are scoped to authorised connectors only.
Every request, tool call, system accessed, approval granted, and result verified is logged with structured evidence. Accountability built in at every step.
High-risk operations require explicit human confirmation before execution. Two-stage confirmation for firewall changes, database writes, power actions, and destructive operations.
Morpheus treats all external data retrieved from web pages, files, or third-party APIs as untrusted. It processes this data without interpreting it as instruction overrides.
Morpheus physically tests live services, websites, and databases to collect real execution evidence before reporting a task complete.
Interactive tasks, software compilation, and local script runs occur inside isolated ephemeral sandbox environments, keeping host systems clean and safe.
Morpheus is built with deterministic guardrails that guarantee execution safety and prevent fabricated completion claims.
State is carried across turns, surviving sandbox resets and credit pauses. High-priority tasks are tracked checkbox-by-checkbox via server-side logs.
Morpheus is strictly barred from reporting success unless the primary deliverable is physically verified via tool execution. Specific outcomes must come from direct tool outputs.
Every change is validated immediately using independent verification loops, such as HTTP checks, file reads, and service health queries.
Built-in loop guards detect and halt repetitive tool-calls automatically, while per-turn caps checkpoint long tasks safely.
If user scope changes mid-task, Morpheus automatically re-computes the remaining phases without starting over.
Every single tool invocation, parameter, and response is recorded in a chronological ledger, providing a complete, immutable audit trail.
Standard Morpheus deployments use secure, trusted premium cloud models for high-quality reasoning and execution. This means task context is processed under strict enterprise-ready data handling terms.
For teams with absolute data sovereignty mandates, Morpheus supports private data plane deployments, keeping all execution context entirely within your own cloud boundary.
Infrastructure credentials, API keys, and BYOK keys are stored securely and scoped to the appropriate user, tenant, or client workspace. They are never exposed after saving.
Morpheus enforces strict multi-tenant separation across users, tenants, and MSP client workspaces. Credentials never cross boundaries.
Execution paths are strictly isolated. Critical system commands are routed through specialized connectors and secure execution boundaries.
For customers who don't want Morpheus to reach into their network from the cloud, the Remote Gateway flips the direction: a small Linux agent inside your network connects outbound to Morpheus Cloud. Nothing is exposed to the internet.
Single outbound TLS WebSocket on 443 to app.morpheus.diy. No SSH, WinRM, RDP, hypervisor management, database, or internal-API ports need to be opened. A bundled morpheus-gateway verify-outbound-only CLI parses ss -ltn and refuses to lie about it.
Cloud Vault (default) โ credentials live in Morpheus Cloud's Vault, sealed at rest with cloud KMS, and ship inline over the encrypted WS for each call. Memory only on the gateway. Local credential mode (alpha) keeps credentials sealed on the gateway VM with ChaCha20-Poly1305; the cloud only sees references.
The agent generates an Ed25519 keypair locally during enrollment. The public key + SHA-256 fingerprint are stored cloud-side and shown in the admin UI. A separate long-lived bearer credential authenticates each WebSocket handshake; only the SHA-256 of the credential is stored.
The gateway agent enforces a customer-controlled policy.yaml that can deny tools by glob, deny egress CIDRs, lock the gateway to one tenant + workspace, enforce read-only mode, and apply maintenance windows. Cloud says yes; local can still say no.
Every executed tool call writes a redacted JSONL line to /var/log/morpheus-gateway/audit.jsonl. Credentials are scrubbed using each tool's redact_args declaration. Logrotate ships in the package. Cloud audit and local audit share correlation IDs.
The agent runs as a non-root morpheus-gateway system user (no shell) with NoNewPrivileges, ProtectSystem=strict, empty CapabilityBoundingSet and AmbientCapabilities, restricted address families, SystemCallFilter=@system-service, and tight ReadWritePaths.
Toggleable from the cloud console at any time. The agent receives the new flag live (no reconnect needed). Dry-run accepts every tool call, runs policy + argument checks, and returns a structured "would have executed" payload instead of invoking vendor code. Build trust before flipping execution on.
Set cert_pin_sha256 in the gateway's config to reject any TLS handshake whose leaf certificate doesn't match. Defends against TLS-inspection proxies you don't want re-encrypting the gateway traffic mid-flight.
The cloud checks tenant + workspace scope before dispatching to a gateway. The gateway independently rejects any inbound execute request whose tenant or workspace doesn't match what it was enrolled into. Two independent checks; a bug in one can't leak across tenants.
Every gateway release is signed with Sigstore keyless cosign. We do not hold a private signing key; signatures are anchored to a public OIDC identity bound to our GitHub Actions release workflow, and every signature is recorded in Rekor, Sigstore's public transparency log.
The installer enforces verification before it executes anything: it downloads a pinned cosign binary, verifies its SHA-256 against a hash embedded in the script, fetches the release tarball and bundle from our R2 CDN, then runs cosign verify-blob against the workflow identity. If any step fails the installer exits with no side effects.
These values are published in three independent channels โ this page, docs/gateway/verification.md in the public repo, and inline at the top of https://app.morpheus.diy/gateway/install.sh. Cross-checking any two before installing catches a compromise of any single channel.
Auto-update is deliberately not shipped. The agent inside your network is never silently updated by us โ re-running the install command is the only path. We consider this a security feature, not a missing one.
Morpheus does not apply changes to sensitive systems without explicit human confirmation. The approval workflow is built into the execution model โ not bolted on as an afterthought.
Rule additions, modifications, and deletions require two-stage confirmation. Morpheus previews the exact change before applying.
DDL statements and destructive queries require explicit approval. SELECT queries run freely. Write operations are previewed first.
Physical server power-off, restart, and reset via Redfish/BMC require explicit confirmation before execution.
VM termination, data deletion, S3 object removal, and similar irreversible actions require explicit user approval.
Remote script execution, PowerShell commands, and software deployments across client endpoints require explicit review and confirmation.
Initiating vulnerability scans, locking/wiping devices via MDM (Jamf, Intune), and changing security policies require explicit approval.
Software installation on Windows hosts via WinRM requires approval before execution.
Stopping or restarting Windows services via WinRM requires approval confirmation before the action is taken.
Morpheus builds a detailed, structured audit trail for every single session. Perfect for change control reviews, client handovers, internal compliance, and general operational visibility. Agency/MSP tenants can filter audit logs by client workspace and use strict client-only mode when preparing reports for a specific client.
Request Early AccessWhat was asked, by whom, and when
Which model route handled the request and why
Every tool called, with parameters and results
What was approved, by whom, and what was verified
Morpheus supports organisations at every point on the data control spectrum. Standard deployments use secure cloud APIs. Private deployments give organisations full control.
Tenant-separated workspace. Uses trusted API model providers. Fastest to start. Suitable for most individuals, teams, and agencies.
Connect your own approved reasoning and execution model keys. Direct billing with model providers. Full visibility over model usage.
Dedicated infrastructure, private cloud, or on-premises deployment. Regional data residency options. Stricter data control for regulated organisations.
We work with organisations that have specific data control, audit, and deployment requirements. Tell us what you need.
Get in Touch