Threat Model
This document outlines the potential attack vectors against AI agent credentials and explains how Ephos mitigates these risks through its architecture.
Core Assumptions
- Users follow security best practices for their Master Passphrase.
- Clerk's authentication infrastructure is trusted for identity verification.
- Cloudflare's runtime isolation is trusted for volatile memory handling.
Attack Vectors & Mitigations
| VECTOR | POTENTIAL IMPACT | EPHOS MITIGATION |
|---|---|---|
| Prompt Injection | Agent exfiltrates raw .env secrets to an attacker. | Agent only has scoped Ephos Tokens; raw keys never enter the agent's context. |
| Server Compromise | Database leak of all stored API keys. | Zero-knowledge storage; encrypted blobs are unreadable without user passphrases. |
| Token Theft | Stolen token used to drain API balance or exfiltrate data. | Domain whitelisting restricts token use to authorized hostnames only. |
| Runtime Memory Dump | Decrypted keys scraped from server RAM. | Secrets exist in RAM for milliseconds; isolation via Cloudflare Workers prevents cross-request leaks. |
| Echo-Attack | Third-party API leaks the key back in a response body. | Automated response scrubbing redacts any sensitive patterns before return. |
Trust Boundaries
Ephos explicitly defines where trust begins and ends:
- User-Side: You trust your browser and your passphrase memory. Ephos never touches the unencrypted secret here.
- Transit: You trust TLS encryption. Ephos only transmits encrypted blobs.
- Execution: You trust the Ephos Enclave to handle the secret in volatile memory and wipe it immediately.