Security Model
Assume-breach design, fail-closed, Ed25519 attestation chain
Pramiti's security model is built on the assumption that the LLM will be compromised. Enforcement is external to the model, deterministic, and operates at the action layer.
Assume Breach
The core design principle: prompt injection may never be fully patched. Therefore:
- The LLM is treated as an untrusted component
- All enforcement happens outside the LLM, in deterministic code
- The policy engine has no LLM dependency — same inputs always produce same outputs
- SQL validation runs against the actual schema, not LLM-generated metadata
Fail-Closed Design
When components fail, the system blocks rather than allows:
| Failure | Behavior |
|---|---|
| Policy engine cannot evaluate | Default verdict: DENY |
| LLM unavailable | Return "I cannot answer" (not a guess) |
| Schema drift detected | Confidence scores degrade |
| Attestation signing fails | Action blocked |
| Database unavailable | All requests fail (no cache fallback for writes) |
Authentication
API Authentication
| Method | Mechanism | Use Case |
|---|---|---|
| JWT | epistom_token cookie or Authorization: Bearer header | Browser and programmatic access |
| API Keys | ek_* prefix, SHA-256 hashed | Programmatic access with per-key rate limits |
| SAML SSO | Standard SAML 2.0 flow | Enterprise SSO |
| Azure AD | OAuth 2.0 OIDC | Microsoft ecosystem |
| Demo mode | X-Demo-User header | Local development only |
CSRF Protection
Active when auth_mode != "demo". Frontend sends X-Epistom-CSRF: 1 on mutating methods.
Rate Limiting
Per-key rate limiting with priority resolution:
- Demo user header (demo mode)
- API key hash (SHA-256 prefix)
X-Forwarded-Forheader- Remote IP address
Redis is required for consistent rate limiting across multiple API pods.
Attestation Chain
Every Aegis decision produces an Ed25519-signed attestation record:
- Payload hashing — SHA-256 of the action arguments
- Impact hashing — SHA-256 of the blast radius computation
- Message construction — Deterministic concatenation of all material fields
- Ed25519 signing — Asymmetric signature (customers cannot forge)
- Append-only storage — Database trigger prevents UPDATE/DELETE
The attestation includes: verdict, tool name, agent ID, payload hash, impact hash, constraint IDs, delegation fields, evidence classification, and timestamp.
Audit Trail
Two append-only tables provide a complete audit trail:
| Table | Protection | Content |
|---|---|---|
aegis_attestations | Database trigger + Ed25519 | Every policy decision |
audit_logs | Database trigger + HMAC-SHA256 | Every API request |
Both tables prevent UPDATE and DELETE at the database level. Even a database administrator with direct SQL access cannot modify records.
Safety Invariant (SI-1)
Auto-resolved entities are read-only. Writes require steward-confirmed resolution.
This prevents agents from acting on potentially incorrect semantic mappings that were auto-discovered but not yet verified by a human.
Credential Security
- Connection credentials are encrypted at rest with Fernet encryption
- Signing keys are stored as environment variables or Kubernetes secrets
- API keys are stored as SHA-256 hashes (plaintext never persisted after creation)
- SAML SP certificates use dedicated file paths, not environment variables