Credentials and PII
Flow enforces a strict separation between the components that hold credentials and the components that run AI. No AI model ever sees a password, token, or connection string.
Credential custody
Section titled “Credential custody”The orchestration engine is the sole custodian of all credentials and the sole executor of privileged operations. Credentials are passed only to the tools that execute operations. They are never passed to the AI models that interpret results.
- Secrets live in the OS-native credential manager, such as macOS Keychain, Windows Credential Manager, or libsecret. They are never stored on disk.
- Credentials are retrieved at execution time and are not cached beyond the active run.
- Credential references are never passed on the inference call path. The inference engine has no access to the credential retrieval API.
- All privileged operations execute strictly in the user’s authenticated context, so audit trails reflect the actual user.
The keyring holds cloud AI provider keys for each provider, service-node connection secrets and OAuth token bundles, and connection passwords. Cloud keys can fall back to environment variables for developer convenience, but the keyring takes precedence.
The PII sanitizer
Section titled “The PII sanitizer”The PII sanitizer is a synchronous preprocessing step within the host process. It is applied to all text before it reaches any AI model, both local and cloud.
- Coverage. Built-in pattern matching covers credentials, hostnames, dataset names, and IP addresses. Admins can also add org-specific rules, which they author and preview in Settings (Privacy).
- Mechanism. Matches become typed placeholders such as
[HOSTNAME]and[DATASET_NAME]before inference. - Reasoning preservation. The model reasons abstractly. For example,
[DATASET_NAME] not foundstill classifies as a dataset-resolution failure with a generic corrective pattern. The orchestration engine maps the recommendation back to the specific value when it displays the fix. - Result. Diagnostic accuracy is preserved without exposing raw values to the model.
For cloud calls, the provider receives the sanitized prompt, and suggestions are rehydrated client-side.
Input security
Section titled “Input security”Beyond redaction, a contract-bound ai node’s untrusted input is wrapped in a
structural untrusted-data boundary before inference, so the model treats it as
data rather than instructions. The input is also scanned for prompt-injection
patterns such as instruction override, system-prompt exfiltration, and role
reassignment. A high-severity signal forces the contract’s human review gate.
The engine raises the gate, and the model can never lower it.
Audit posture
Section titled “Audit posture”- Execution history records every run and node outcome locally.
- Cloud AI nodes persist metadata only by default. This includes the provider, model, token counts, latency, and a 200-character preview. Full content is recorded only on explicit per-node opt-in.
- Every shell invocation appends a JSON audit line (command, cwd, capabilities, sandbox layer, exit code, byte counts) to the daily audit log.
- User decisions at approval gates are recorded as audit events.
- Contract-bound AI nodes record every invocation, the routing decision (with the threshold applied), and the human verdict in the run’s AI decision audit trail.
Related
Section titled “Related”- Isolation boundaries describes the domain model this lives in.
- Cloud providers covers key resolution in detail.
- Sandboxing covers the execution-side controls.