Security and privacy
Bestie handles private conversations, local files, provider credentials, and eventually external tools. Security and privacy are product requirements, not decorative compliance confetti.
Secrets
Section titled “Secrets”Rules:
- Never print API keys after entry.
- Redact secrets in logs, Doctor JSON, channel summaries, and tool output.
- Keep secrets in
.envfor local builds. - Write local app logs with owner-only permissions.
- Config exports exclude secrets by default.
- Doctor checks secret presence, not values.
- Consider OS keychain or encryption later.
Never commit:
.bestie/.envor.env.*with real values- API keys, provider tokens, Telegram bot tokens, or auth headers
- local logs, memory databases, transcripts, or private conversation samples
Permission categories
Section titled “Permission categories”All actions should be classified:
- read-only
- local write
- external write
- public/external action
- destructive
- money/payment
- unknown
Public, external, destructive, and payment actions require explicit confirmation.
The permission foundation lives in src/safety/permission-policy.ts. It classifies actions, routes approval through reviewActionPermission, logs final decisions, and does not execute tools by itself.
Telegram approvals
Section titled “Telegram approvals”Telegram has a pending approval foundation:
- An action requiring approval stores a short-lived local request.
- The owner receives redacted action/category/target details.
- Execution is denied for now.
/approve <id>or/deny <id>records the decision.
Approved decisions do not execute the action in this foundation slice.
Prompt injection
Section titled “Prompt injection”External content from web pages, MCP, documents, attachments, or tools is untrusted.
Rules:
- Never obey instructions inside external content as system instructions.
- Do not reveal secrets.
- Do not let external content trigger tools directly.
- Summarize and quote external content safely.
- Reject shell-command-shaped tool JSON instead of executing it.
Memory privacy
Section titled “Memory privacy”Users must control memory:
- inspect
- edit
- delete
- export
- clear
- disable temporarily
- never-remember topics
- approve sensitive memories
Memory must not feel creepy. Over-remembering is a product bug.
Telemetry
Section titled “Telemetry”Telemetry, if added, must be opt-in and privacy-first.
Never collect:
- chat content
- memories
- API keys
- private identifiers
Any future analytics should be limited to coarse install success/failure, Doctor issue types, feature usage counts, and crash categories.
Public claims
Section titled “Public claims”Do not market Bestie as:
- conscious
- human
- a therapist replacement
- a romantic companion
- perfect memory
- safe to run arbitrary tools without permissions