84 lines
4.6 KiB
HTML
Raw Normal View History

<div class="docs-content" data-render>
# Security and limits
The controls that keep Devii safe and bounded. See also [Data and persistence](/docs/devii-data.html) and [Configuration and CLI](/docs/devii-config.html).
## Per-account memory isolation
The self-learning lesson store is **owner-scoped and never shared**. Each session gets a
`LessonStore` filtered by `(owner_kind, owner_id)` - the main DB for signed-in users, a private
in-memory DB for guests. One account can never recall another account's lessons. The user purges
their own memory with the `forget_lessons` tool (clear all, or only lessons matching a query). The
system prompt forbids storing credentials, passwords, API keys, or secrets in a lesson.
## Spending limits
Spend is capped per owner over a rolling 24 hours, read from `devii_usage_ledger` (the authoritative
source). The admin-configurable caps are `devii_user_daily_usd`, `devii_guest_daily_usd`, and
`devii_admin_daily_usd` (default `0` = unlimited, so administrators are exempt by default). The cap
is checked before each turn; a turn already over the limit is refused. The spend from scheduled-task
runs and from cancelled or interrupted turns is recorded to the ledger and counted against the cap,
not forgiven. Pricing is configurable (`devii_price_*`) and applied per turn.
## JavaScript execution toggle
The `client` handler can run JavaScript in the user's own browser (`run_js`) for live tutorials and
demos. This is gated by the `devii_allow_eval` config field (default on); when off, `run_js` is
refused while the other client tools (navigate, reload, highlight, toast, context) still work.
## Admin-only analytics
Site-wide analytics is a documented, admin-secured HTTP endpoint - `GET /admin/analytics` (returns
JSON, 403 for non-admins; see the [Admin API](/docs/admin.html)). Devii reaches it through the normal
`site_analytics` catalog tool, so the platform enforces admin access; the agent never queries the
database directly for it.
## Primary-administrator-only database tools
The read-only database tools (`db_list_tables`, `db_table_schema`, `db_list_rows`, `db_get_row`,
`db_query`, `db_design_query`) carry `requires_primary_admin=True`, so they are offered only to the
**primary administrator** (the oldest Admin account). Their schema is withheld from every other
session and the dispatcher independently refuses them, so a member, a guest, or a junior admin never
sees them and Devii is unaware they exist. They are strictly read-only (SELECT-validated) and never
write to the database.
## Web fetch
`fetch_url` sends realistic browser headers, reduces pages to text, caps size, and refuses private,
loopback, and link-local addresses (an SSRF guard) unless explicitly allowed, limiting the blast
radius of a prompt-injected page. `http_request` (arbitrary external API calls) and `attach_url`
(storing a remote file as an attachment) share the same SSRF guard and size cap, so neither can be
forged into a request against internal addresses. `attach_url` runs the downloaded bytes through the
normal upload validation (allowed types, size limit) before storing them.
## Email
The `email_*` tools are restricted to signed-in users (never guests) and gated by
`devii_email_enabled`. Each IMAP/SMTP host is resolved and checked against the same SSRF guard
(private, loopback, link-local addresses refused) before any connection, so a saved account cannot
be pointed at an internal service to probe the network. Credentials live per owner in
`email_accounts`, scoped to `(owner_kind, owner_id)` like every other Devii store; a tool never
returns the stored password (it reports only whether one is set). Sending mail (`email_send`) is a
real outbound action the system prompt tells Devii to confirm with the user first, and deleting a
message (`email_delete_message`) or removing a saved account (`email_account_delete`) is
confirmation-gated by the dispatcher.
## Confidentiality
The system prompt instructs Devii never to disclose the underlying AI model, provider, inference
endpoint, or any backend URL or infrastructure detail, even when such values appear inside a tool
result, and to omit the model name when reporting cost.
## Audit trail
Every turn is recorded in `devii_turns` (owner, username, timestamps, truncated prompt and reply,
iterations, tool-call count, cost, and any error), giving administrators a complete account-scoped
history.
## Account scope
A signed-in user's Devii operates that user's **own** account via the platform API with their API
key, so it has exactly the permissions that user has (admins included). It cannot exceed the
account's authority; the platform enforces every action.
</div>