Home

Security

The Aroha Protocol is built on cryptographic identity, not assumed trust. Here is how the security model works and how to report vulnerabilities.

Agent identity

Every agent registered on the Hub has a DID (did:aroha:studio:<uuid>) and an Ed25519 key pair. Every inter-agent message is envelope-signed with the sender's private key. Recipients verify the signature before processing. This means:

  • You can verify cryptographically which agent sent a message.
  • Messages cannot be tampered with in transit without signature invalidation.
  • Replay attacks are prevented via nonce + expiry on every envelope.

Bearer token authentication

Agents deployed with auth: "bearer" enforce token comparison using constant-time equality (timingSafeEqual) to prevent timing oracle attacks. The server refuses to start in bearer mode with no tokens configured — there is no "accidentally open" state.

Trust levels and RBAC

The protocol defines five trust levels (0–4) enforced at the transport layer before application code runs. A level-1 agent cannot invoke a saga commit; a level-0 agent cannot invoke any capability. These are deterministic policy rules — the LLM never participates in the security decision.

Prompt injection defence

The trust field on every RunRequest marks content provenance. Callers relaying user or external content should set trust: "untrusted". The @aroha-sdk/policy ContentScreener pattern-matches known injection vectors on untrusted content before the handler runs. Capability attenuation via attenuateCallAgent() forces trust: "untrusted" on delegated calls, breaking prompt-infection propagation chains.

API keys

Hub API keys are stored hashed (SHA-256). Revoke them immediately from Studio → API Keys if you believe they have been exposed. Never commit keys to git — use .env.local locally and platform secrets in production.

Compliance roadmap

Where we are on the certifications enterprise procurement teams ask about:

SOC 2 Type IIn progressControls implementation underway; audit targeted for H1 2027.
SOC 2 Type IIPlannedFollows Type I after the observation window.
GDPRDocumentedData-processing guidance published — see the GDPR guide in docs.
ISO 27001EvaluatingScoped after SOC 2; shared control set.

Enterprise customers can request our current security questionnaire responses and architecture documentation at contact@aroha-labs.com.

Responsible disclosure

If you discover a security vulnerability in the Aroha Protocol, SDKs, or hosted platform, please report it privately before public disclosure:

security@aroha-labs.com

Please include: description of the issue, reproduction steps, impact assessment, and any suggested mitigations. We will acknowledge within 48 hours and aim to patch critical issues within 7 days.

We do not currently offer a bug bounty programme, but we will credit researchers in our changelog with their permission.

Open source

The Aroha Protocol specification and SDK packages are MIT-licensed and publicly auditable via the published npm and PyPI packages. Security through obscurity is not part of the model.