Protected assets
- Poppy API credential
- Private board/chat content
- Conversation integrity and history
- Board/chat destination policy
- Audit metadata and release evidence
Protect the account-wide Poppy credential, restrict destinations, minimize content, treat returned material as untrusted, and keep release evidence separate from assumptions.
| Threat | Primary control | Residual risk |
|---|---|---|
| Credential enters agent context | Human-managed local key file; no key in skill/config/chat | Host/process compromise can still read it |
| Wrong board or chat | Exact resolution plus server allowlists | Incorrect allowlist configuration |
| Prompt injection in board content | Skills treat output as data and forbid operational obedience | Model may still mis-handle persuasive content |
| Overbroad enumeration | Task-need rule and filtered destination policy | Discovery tools retain account metadata authority |
| Redirect or destination substitution | HTTPS allowlist, no embedded credentials, redirect denial | Trusted upstream compromise |
| Oversized/slow response | Request/response limits, timeout, bounded retries | Upstream resource consumption within limits |
| Sensitive logging | Metadata-only audit events and redacted errors | MCP client may independently log tool payloads |
| Unapproved conversation writes | Distinct tools, history off by default, skill workflow rules | Client with tool authority can still invoke writes |
additional_context.The v0.3.0 candidate checks key-file permissions, ownership, and symlink behavior on POSIX. Windows operators must enforce ACLs separately. Where available, use an OS credential store, container secret, or vault integration reviewed for the deployment.