Premier is local-first, but traces can contain prompts, terminal output, tool arguments, and model responses. Treat every .atrace as potentially sensitive evidence.
Trust boundaries
- The recording collector binds to loopback and requires a per-recording bearer token that is not persisted in the trace.
- A non-loopback viewer bind is rejected unless both TLS and authentication are configured.
- Basic password authentication grants local-tenant access. Bearer credentials can bind a subject to one immutable
tenant_idand thetrace:readorassistant:usescopes. - Tenant checks are enforced by the API. A caller cannot select another tenant by changing a query parameter.
- Local AI is a separate trust boundary: Premier capability-probes safe, non-interactive CLI flags, bounds context/output/time, and executes from the trace directory without enabling tools.
Redaction
Structured payload fields matching common password, secret, token, API-key, authorization, cookie, or private-key variants are recursively redacted. Add domain fields and terminal patterns at record time:
premier record \
--redact-field customer_pin \
--redact-literal "$SESSION_SECRET" \
--redact-regex 'Bearer [A-Za-z0-9._-]+' \
-- your-agent run
Terminal display remains useful while the persisted trace applies configured terminal redaction. The manifest records redaction provenance, not the secret values.
Encryption at rest
Premier can encrypt a trace before its first event is persisted. Create a 32-byte master key as 64 hexadecimal characters, keep the key outside the trace directory, and make it owner-only:
openssl rand -hex 32 > /run/secrets/premier/trace.key
chmod 600 /run/secrets/premier/trace.key
PREMIER_TRACE_KEY_FILE=/run/secrets/premier/trace.key \
premier record --tenant acme -- your-agent run
Active and finalized event frames use XChaCha20-Poly1305. Premier derives an independent per-trace key with HKDF, generates a fresh nonce for every encrypted envelope, and authenticates the trace identity, frame sequence, and journal role as associated data. Sensitive manifest fields—including the run name, command, result, diagnostics, capability labels, redaction configuration, and adapter provenance—are stored in an authenticated private envelope. The public manifest retains the minimum routing and verification metadata: trace and tenant identity, timestamps, journal digest/count, encryption algorithm, and non-secret key identifier.
The key file is never copied into the trace. Reading, verifying, querying, exporting, or serving an encrypted trace requires PREMIER_TRACE_KEY_FILE to name the correct owner-only key file. A wrong key or modified ciphertext fails closed.
Encrypt an existing finalized trace atomically:
premier encrypt run.atrace --new-key-file /run/secrets/premier/trace.key
To rotate keys, make the current key available through PREMIER_TRACE_KEY_FILE and pass the replacement key to --new-key-file. Premier stages and verifies the complete replacement before publishing it; the original directory is restored if publication fails.
PREMIER_TRACE_KEY_FILE=/run/secrets/premier/old.key \
premier encrypt run.atrace --new-key-file /run/secrets/premier/new.key
Finalized journal digests provide an additional whole-file integrity check, while signed release bundles authenticate the Premier publisher. Encrypted operating-system volumes and explicit retention policy remain useful defense in depth.
Tenant ownership
Record new shared evidence with an immutable tenant:
PREMIER_TRACE_KEY_FILE=/run/secrets/premier/trace.key \
premier record --tenant acme -- your-agent run
An administrator can atomically assign a legacy local trace once with premier claim run.atrace --tenant acme. Re-claiming it to another tenant is rejected. Authenticated trace APIs filter every list, detail, event, stream, export, comparison, and assistant lookup by the caller’s tenant; an unauthorized trace returns the same not-found response as an unknown trace.
Safe operating defaults
- Keep local investigations on
127.0.0.1. - Redact before persistence; do not depend on UI hiding.
- Use distinct bearer tokens and tenant IDs for shared service access.
- Store trace keys, TLS keys, and authentication configuration outside the trace directory with owner-only permissions.
- Rotate credentials and remove traces when the evidence-retention window ends.