Threat Model
Traditional applications operate within relatively predictable execution environments. Autonomous agents introduce a different threat model entirely: dynamic tool usage, prompt-driven behavior, delegated permissions, and external workflow chaining. Ephos is designed specifically to minimize credential exposure within these autonomous execution paths.
This document outlines the potential attack vectors against AI agent credentials and explains how Ephos mitigates these risks through its architecture.
Core Assumptions
- Users follow security best practices for their Master Passphrase.
- Clerk's authentication infrastructure is trusted for identity verification.
- Cloudflare's V8 isolate sandboxing is trusted to provide strong process isolation and ephemeral execution boundaries between requests.
Attack Vectors & Mitigations
| VECTOR | POTENTIAL IMPACT | EPHOS MITIGATION |
|---|---|---|
| Prompt Injection | Agent exfiltrates raw .env secrets to an attacker. | Agent only has scoped Ephos Tokens; raw keys never enter the agent's context. |
| Server Compromise | Database leak of all stored API keys. | Zero-knowledge storage; encrypted blobs are unreadable without user passphrases. |
| Token Theft | Stolen token used to drain API balance or exfiltrate data. | Domain whitelisting restricts token use to authorized hostnames only. |
| Runtime Memory Dump | Decrypted keys scraped from ephemeral memory. | Secrets are decrypted only during transient in-memory execution inside isolated Ephos Enclaves and are wiped immediately after request completion. |
| Echo-Attack | Third-party API leaks the key back in a response body. | Automated response scrubbing redacts any sensitive patterns before return. |
Trust Boundaries
Ephos explicitly defines where trust begins and ends:
- User-Side: You trust your browser and your passphrase memory. Ephos never touches the unencrypted secret here.
- Transit: You trust TLS encryption. Ephos only transmits encrypted blobs.
- Execution: You trust the Ephos Enclave to handle the secret in Ephemeral Memory during Ephemeral Execution and wipe it prior to worker termination.