Edictum

Security Model

Current security model for the hosted Edictum control plane.

AI Assistance

Right page if: you want the current auth and trust boundaries for the hosted control plane. Wrong page if: you want the retired FastAPI/local-auth security model. Gotcha: humans authenticate through Clerk-backed app traffic, and agents authenticate with workspace API keys.

The current security boundary is split between human operators and agents.

Human Access

Human operator traffic is authenticated through the app and edictum-api.

  • Clerk-backed identity is the public human-auth path
  • browser flows may also use the API’s session cookie for browser SSE

Agent Access

Agents use workspace API keys:

  • bearer token with edk_ prefix
  • scoped to the workspace
  • hashed server-side using a deployment-specific salt

Ruleset Integrity

  • rulesets are signed server-side
  • SDKs can verify signatures when configured to do so
  • signature verification is opt-in at the SDK boundary today

Transport Boundary

  • agents fetch rulesets and stream updates from edictum-api
  • agents still evaluate locally
  • control-plane outage does not turn into silent allow behavior

Current Public Truth

The retired local-password / bundle-era FastAPI security model is not the current public source of truth. Use the live API surface and current SDK docs instead.

Last updated on

On this page

Human AccessAgent AccessRuleset IntegrityTransport BoundaryCurrent Public Truth