Prox OS Internal Docs
TrustSecurityAI

Alma Security

Alma is currently a UI and local workflow prototype. It does not call real

Status

Alma is currently a UI and local workflow prototype. It does not call real providers, store API keys in a secure vault, or execute backend tools.

API Keys

The current BYOK dialog stores a local prototype value. This is not production key management.

Production direction:

  • secure vault
  • secret redaction
  • provider adapter boundary
  • no raw key in model context
  • no key in console logs
  • no key in audit logs
  • user-controlled deletion

Prompt Injection Boundary

Untrusted content cannot become system instruction. This includes app content, web content, documents, artifacts, community content, and connector data.

Alma should treat untrusted content as data and require explicit promotion before it becomes trusted instruction.

Permission And Confirmation

Low-risk actions can be auto allowed when visible in logs.

Medium-risk actions should ask every time or use lightweight confirmation.

High-risk actions such as publish, share, deploy, and external write should be disabled until strong confirmation, policy, and audit exist.

Future Backend Security

Future apps/api-worker can provide:

  • provider adapters
  • model router
  • secure key vault
  • audit sink
  • tool registry
  • workflow execution service
  • permission policy engine
  • artifact storage
  • app publishing pipeline

Those services must avoid exposing secrets to model context and must preserve action auditability.

Current Non-goals

  • No real provider SDK.
  • No /ai/chat route.
  • No database table.
  • No production secret storage.
  • No queue, cron, or long-running worker.

On this page