david.delagneau/fidelity-ai-workspace
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e03518e507b58eef6a2b75e66e443be083cd04f0
fidelity-ai-workspace/docs/security-and-privacy.md
david.delagneau 1ad707373a Add daily logs and templates for project fidelity 
- Created daily log entries for May 13, 14, 18, 19, 20, and 21, capturing work done, findings, and next steps.
- Established a daily logs index for easy navigation of daily notes.
- Developed templates for daily logs, decisions, meeting notes, people, systems, and work items to standardize documentation.
- Introduced base files for filtering and displaying various types of project knowledge, including daily notes, decisions, people, systems, work items, and workstreams.
- Added maps for current work, fidelity apps, and fidelity domain to enhance project navigation and context.
2026-05-21 12:28:07 -06:00

2.0 KiB
Raw Blame History

Security And Privacy

AI Workspace is designed for local-first, auditable context management. Treat it as a companion workspace that may contain sensitive project metadata and communication evidence.

Rules

  • Do not commit secrets, tokens, cookies, API keys, headers, or session IDs.
  • Keep connector credentials in ignored .env files.
  • Keep raw evidence outside canonical project memory until curated.
  • Keep MCP read-only unless a write tool has explicit safety rules.
  • Treat generated indexes as local artifacts because they may contain snippets from project notes.
  • Prefer local services for corporate or confidential projects.

Ignored Local State

Examples of local-only data:

.aiw/runtime/
.aiw/indexes/
workspaces/*/inbox/mattermost-mirror/
scripts/*/.env

Cloud Memory Systems

Tools such as mem9 or managed vector stores can be useful, but they introduce a data boundary.

Before enabling them for a project, decide:

  • what data may be stored;
  • whether cloud storage is allowed;
  • whether self-hosting is required;
  • who can inspect/delete memories;
  • what happens when cloud memory conflicts with Markdown.

Default recommendation:

Use cloud memory only for non-sensitive preferences unless a project policy approves broader use.

MCP Safety

MCP clients may let models invoke tools automatically. For that reason, workspace MCP tools should stay read-only by default and return bounded, source-attributed context.

If future MCP write tools are added, require:

  • explicit user intent;
  • narrow target paths;
  • clear diffs or summaries;
  • no secret exposure;
  • easy audit through git.

Sharing The Repo

Before sharing or open-sourcing a reusable version:

  1. Remove or isolate project-specific profile data.
  2. Confirm ignored inbox/runtime files are not tracked.
  3. Replace real profile examples with sanitized examples.
  4. Keep reusable architecture docs in docs/ and core/.
  5. Keep confidential project knowledge in private profile/workspace data.
Reference in New Issue View Git Blame Copy Permalink