|
<div class="docs-content" data-render>
|
|
# Security and limits
|
|
|
|
The controls that keep Devii safe and bounded. See also [Data and persistence](/docs/devii-data.html) and [Configuration and CLI](/docs/devii-config.html).
|
|
|
|
## Per-account memory isolation
|
|
|
|
The self-learning lesson store is **owner-scoped and never shared**. Each session gets a
|
|
`LessonStore` filtered by `(owner_kind, owner_id)` - the main DB for signed-in users, a private
|
|
in-memory DB for guests. One account can never recall another account's lessons. The user purges
|
|
their own memory with the `forget_lessons` tool (clear all, or only lessons matching a query). The
|
|
system prompt forbids storing credentials, passwords, API keys, or secrets in a lesson.
|
|
|
|
## Spending limits
|
|
|
|
Spend is capped per owner over a rolling 24 hours, read from `devii_usage_ledger` (the authoritative
|
|
source). The admin-configurable caps are `devii_user_daily_usd`, `devii_guest_daily_usd`, and
|
|
`devii_admin_daily_usd` (default `0` = unlimited, so administrators are exempt by default). The cap
|
|
is checked before each turn; a turn already over the limit is refused. The spend from scheduled-task
|
|
runs and from cancelled or interrupted turns is recorded to the ledger and counted against the cap,
|
|
not forgiven. Pricing is configurable (`devii_price_*`) and applied per turn.
|
|
|
|
## JavaScript execution toggle
|
|
|
|
The `client` handler can run JavaScript in the user's own browser (`run_js`) for live tutorials and
|
|
demos. This is gated by the `devii_allow_eval` config field (default on); when off, `run_js` is
|
|
refused while the other client tools (navigate, reload, highlight, toast, context) still work.
|
|
|
|
## Admin-only analytics
|
|
|
|
Site-wide analytics is a documented, admin-secured HTTP endpoint - `GET /admin/analytics` (returns
|
|
JSON, 403 for non-admins; see the [Admin API](/docs/admin.html)). Devii reaches it through the normal
|
|
`site_analytics` catalog tool, so the platform enforces admin access; the agent never queries the
|
|
database directly for it.
|
|
|
|
## Primary-administrator-only database tools
|
|
|
|
The read-only database tools (`db_list_tables`, `db_table_schema`, `db_list_rows`, `db_get_row`,
|
|
`db_query`, `db_design_query`) carry `requires_primary_admin=True`, so they are offered only to the
|
|
**primary administrator** (the oldest Admin account). Their schema is withheld from every other
|
|
session and the dispatcher independently refuses them, so a member, a guest, or a junior admin never
|
|
sees them and Devii is unaware they exist. They are strictly read-only (SELECT-validated) and never
|
|
write to the database.
|
|
|
|
## Web fetch
|
|
|
|
`fetch_url` sends realistic browser headers, reduces pages to text, caps size, and refuses private,
|
|
loopback, and link-local addresses (an SSRF guard) unless explicitly allowed, limiting the blast
|
|
radius of a prompt-injected page. `http_request` (arbitrary external API calls) and `attach_url`
|
|
(storing a remote file as an attachment) share the same SSRF guard and size cap, so neither can be
|
|
forged into a request against internal addresses. `attach_url` runs the downloaded bytes through the
|
|
normal upload validation (allowed types, size limit) before storing them.
|
|
|
|
## Email
|
|
|
|
The `email_*` tools are restricted to signed-in users (never guests) and gated by
|
|
`devii_email_enabled`. Each IMAP/SMTP host is resolved and checked against the same SSRF guard
|
|
(private, loopback, link-local addresses refused) before any connection, so a saved account cannot
|
|
be pointed at an internal service to probe the network. Credentials live per owner in
|
|
`email_accounts`, scoped to `(owner_kind, owner_id)` like every other Devii store; a tool never
|
|
returns the stored password (it reports only whether one is set). Sending mail (`email_send`) is a
|
|
real outbound action the system prompt tells Devii to confirm with the user first, and deleting a
|
|
message (`email_delete_message`) or removing a saved account (`email_account_delete`) is
|
|
confirmation-gated by the dispatcher.
|
|
|
|
## Confidentiality
|
|
|
|
The system prompt instructs Devii never to disclose the underlying AI model, provider, inference
|
|
endpoint, or any backend URL or infrastructure detail, even when such values appear inside a tool
|
|
result, and to omit the model name when reporting cost.
|
|
|
|
## Audit trail
|
|
|
|
Every turn is recorded in `devii_turns` (owner, username, timestamps, truncated prompt and reply,
|
|
iterations, tool-call count, cost, and any error), giving administrators a complete account-scoped
|
|
history.
|
|
|
|
## Account scope
|
|
|
|
A signed-in user's Devii operates that user's **own** account via the platform API with their API
|
|
key, so it has exactly the permissions that user has (admins included). It cannot exceed the
|
|
account's authority; the platform enforces every action.
|
|
</div>
|