Alma Security
Alma is currently a UI and local workflow prototype. It does not call real
Status
Alma is currently a UI and local workflow prototype. It does not call real providers, store API keys in a secure vault, or execute backend tools.
API Keys
The current BYOK dialog stores a local prototype value. This is not production key management.
Production direction:
- secure vault
- secret redaction
- provider adapter boundary
- no raw key in model context
- no key in console logs
- no key in audit logs
- user-controlled deletion
Prompt Injection Boundary
Untrusted content cannot become system instruction. This includes app content, web content, documents, artifacts, community content, and connector data.
Alma should treat untrusted content as data and require explicit promotion before it becomes trusted instruction.
Permission And Confirmation
Low-risk actions can be auto allowed when visible in logs.
Medium-risk actions should ask every time or use lightweight confirmation.
High-risk actions such as publish, share, deploy, and external write should be disabled until strong confirmation, policy, and audit exist.
Future Backend Security
Future apps/api-worker can provide:
- provider adapters
- model router
- secure key vault
- audit sink
- tool registry
- workflow execution service
- permission policy engine
- artifact storage
- app publishing pipeline
Those services must avoid exposing secrets to model context and must preserve action auditability.
Current Non-goals
- No real provider SDK.
- No
/ai/chatroute. - No database table.
- No production secret storage.
- No queue, cron, or long-running worker.