-
Notifications
You must be signed in to change notification settings - Fork 0
Security Model
The posture in one place. Details link out to their own pages.
Tokens, API keys, the DB URL, and the session secret are resolved from the
environment, never stored in the database. Source tokens resolve by source slug
(FRESHDESK_TOKEN_<SLUG>, and so on). .env is git-ignored. The
settings table holds only non-secret runtime config;
GET /api/system reports whether a secret is set, never its value.
/api/* requires a session or the bearer; only /health, the SPA shell, and
/api/setup/status are public. An unauthenticated, un-bootstrapped instance
binds to 127.0.0.1 only, so it is never exposed before an admin exists.
Admin-only mutations return 403 for members. The bearer comparison is
timing-safe; password attempts are throttled. See
Authentication and Users.
Customer identity lives on work_items, never in the knowledge search text or
the embedding, so retrieval matches on the fault, not on who reported it. See
Data Model.
The server-side agent gets only the tachý MCP tools. Every
built-in file, shell, and web tool is disabled two ways: an explicit
disallowedTools list, and a default-deny in canUseTool for anything not
prefixed mcp__tachy__. So the agent cannot touch the filesystem or shell and
never prompts to "edit a file." Read tools auto-run; write tools (save_*,
update_*, add_*, post_private_note) are held for a human approval in the
Chat UI. An unknown tachý tool is treated as a write, never silently run.
Customer personal data and credentials can be scrubbed before data reaches any model, at the provider-neutral MCP boundary, per connection or deployment-wide. Off by default. Only the model-facing copy is scrubbed; the database keeps full data. See Compliance and Redaction.
post_private_note (Freshdesk private notes) is the only write-back tool. tachý
never sends customer-facing messages; for GitHub, write-back is refused because
comments are public. Draft text is handed to the user to post manually.
Database dumps contain real ticket data; keep them off any shared or synced
folder (backups/ is git-ignored). Never commit real ticket data, tokens,
customer names, or internal URLs. Redaction placeholders are opaque and must
never be reconstructed. See also SECURITY.md in the repo root for reporting.
tachý - self-hosted knowledge engine for work items. README · AGPL-3.0-or-later
Design
Subsystems
Platform
Security