Blame
|
1 | # KAEL Safety |
||||||
| 2 | ||||||||
| 3 | KAEL combines generated output, persistent state, identity, external integrations, and permissioned tools. Safety therefore depends on access control and system design—not only model prompting. |
|||||||
| 4 | ||||||||
| 5 | | Field | Value | |
|||||||
| 6 | |---|---| |
|||||||
| 7 | | Documentation status | Active | |
|||||||
| 8 | | Applies to | KAEL clients, API integrations, operators, and tenants | |
|||||||
| 9 | | Last source review | 2026-06-26 | |
|||||||
| 10 | ||||||||
| 11 | ## Core rules |
|||||||
| 12 | ||||||||
| 13 | 1. The server calculates clearance; clients do not grant it. |
|||||||
| 14 | 2. Operator tokens, tenant keys, provider keys, cookies, and webhook secrets never belong in public code. |
|||||||
| 15 | 3. Tool access must be narrower than conversational access. |
|||||||
| 16 | 4. A generated statement is not proof that an action occurred. |
|||||||
| 17 | 5. Destructive or external actions require explicit authorization and auditable results. |
|||||||
| 18 | 6. Users need controls for history and memory. |
|||||||
| 19 | ||||||||
| 20 | ## Clearance |
|||||||
| 21 | ||||||||
| 22 | KAEL can use anonymous identity, authenticated identity, Passport data, ARM memberships, invites, tenants, and operator records to determine access. |
|||||||
| 23 | ||||||||
| 24 | Clearance can affect: |
|||||||
| 25 | ||||||||
| 26 | - Daily message limits. |
|||||||
| 27 | - Available models. |
|||||||
| 28 | - Available tools. |
|||||||
| 29 | - Access to persistent context. |
|||||||
| 30 | - Operator-only endpoints. |
|||||||
| 31 | ||||||||
| 32 | Do not reproduce clearance logic in a client as an authorization boundary. |
|||||||
| 33 | ||||||||
| 34 | ## Prompt and tool separation |
|||||||
| 35 | ||||||||
| 36 | Untrusted text—including webpages, user messages, uploaded files, Discord messages, and retrieved documents—must be treated as data. It must not silently override tool policies or operator authorization. |
|||||||
| 37 | ||||||||
| 38 | Tool implementations should validate: |
|||||||
| 39 | ||||||||
| 40 | - The resolved identity. |
|||||||
| 41 | - The required clearance. |
|||||||
| 42 | - Arguments and target resources. |
|||||||
| 43 | - Whether the action is read-only or mutating. |
|||||||
| 44 | - Whether confirmation is required. |
|||||||
| 45 | ||||||||
| 46 | ## Memory and privacy |
|||||||
| 47 | ||||||||
| 48 | - Store only data needed for a user-facing feature. |
|||||||
| 49 | - Avoid secrets and high-risk personal data. |
|||||||
| 50 | - Keep signed-in and visitor-scoped memory separate. |
|||||||
| 51 | - Expose deletion controls. |
|||||||
| 52 | - Do not show one user’s memory or history to another. |
|||||||
| 53 | ||||||||
| 54 | ## Integrations |
|||||||
| 55 | ||||||||
| 56 | - Verify Discord interaction signatures. |
|||||||
| 57 | - Verify deployment webhook HMAC signatures. |
|||||||
| 58 | - Restrict CORS to intended browser origins for credentialed requests. |
|||||||
| 59 | - Rate-limit authentication, chat, agent, and webhook surfaces. |
|||||||
| 60 | - Log authorization failures without logging credentials. |
|||||||
| 61 | ||||||||
| 62 | ## Incident response |
|||||||
| 63 | ||||||||
| 64 | If a credential appears in source, logs, screenshots, or documentation: |
|||||||
| 65 | ||||||||
| 66 | 1. Revoke or rotate it at the provider. |
|||||||
| 67 | 2. Remove it from active configuration and repository history. |
|||||||
| 68 | 3. Review access logs and affected actions. |
|||||||
| 69 | 4. Replace it with an environment or secret-manager reference. |
|||||||
| 70 | 5. Document the incident without reproducing the secret. |
|||||||
| 71 | ||||||||
| 72 | ## Reporting |
|||||||
| 73 | ||||||||
| 74 | Report suspected security issues through [aethex.support](https://aethex.support). Do not post active credentials in Discord or a public issue. |
|||||||