Skip to content

Security Model

diegokoes edited this page Jul 5, 2026 · 1 revision

Security Model

The posture in one place. Details link out to their own pages.

Secrets from the environment only

Tokens, API keys, the DB URL, and the session secret are resolved from the environment, never stored in the database. Source tokens resolve by source slug (FRESHDESK_TOKEN_<SLUG>, and so on). .env is git-ignored. The settings table holds only non-secret runtime config; GET /api/system reports whether a secret is set, never its value.

Authentication and roles

/api/* requires a session or the bearer; only /health, the SPA shell, and /api/setup/status are public. An unauthenticated, un-bootstrapped instance binds to 127.0.0.1 only, so it is never exposed before an admin exists. Admin-only mutations return 403 for members. The bearer comparison is timing-safe; password attempts are throttled. See Authentication and Users.

Customer-blind index

Customer identity lives on work_items, never in the knowledge search text or the embedding, so retrieval matches on the fault, not on who reported it. See Data Model.

Agent tool allowlist

The server-side agent gets only the tachý MCP tools. Every built-in file, shell, and web tool is disabled two ways: an explicit disallowedTools list, and a default-deny in canUseTool for anything not prefixed mcp__tachy__. So the agent cannot touch the filesystem or shell and never prompts to "edit a file." Read tools auto-run; write tools (save_*, update_*, add_*, post_private_note) are held for a human approval in the Chat UI. An unknown tachý tool is treated as a write, never silently run.

Optional PII and secret redaction

Customer personal data and credentials can be scrubbed before data reaches any model, at the provider-neutral MCP boundary, per connection or deployment-wide. Off by default. Only the model-facing copy is scrubbed; the database keeps full data. See Compliance and Redaction.

Never write back publicly

post_private_note (Freshdesk private notes) is the only write-back tool. tachý never sends customer-facing messages; for GitHub, write-back is refused because comments are public. Draft text is handed to the user to post manually.

Handling ticket data

Database dumps contain real ticket data; keep them off any shared or synced folder (backups/ is git-ignored). Never commit real ticket data, tokens, customer names, or internal URLs. Redaction placeholders are opaque and must never be reconstructed. See also SECURITY.md in the repo root for reporting.

Clone this wiki locally