Instant-RAG assumes autonomous callers rather than humans. Security is enforced at protocol, identity, and economic layers.

• Authentication via passport token per agent
• No shared credentials
• Tenant isolation between agents
• Rate limits applied per identity

Rule: an agent can only access memories created under its own agent_id.

• Every action requires a pre-declared budget
• Costs are deterministic and checked before execution
• Insufficient funds → action rejected
• Swarm sessions split budget to avoid runaway spend

• Queries pass through Ethics Judge
• Harmful prompts are rejected without billing
• All responses must include citations
• Trust Beacon emits verifiable proofs

• CORS configurable per deployment
• HTTPS required in production
• Secrets via environment variables only
• No logging of private documents

If you discover a vulnerability:

1. Do not exploit live endpoints

2. Email a minimal proof to: security@instant-rag.local

3. Include:

   • endpoint
   • reproduction steps
   • expected vs actual

Responsible disclosures receive gratitude and receipts.

• Malicious prompts
• Wallet exhaustion attacks
• Cross-tenant leakage
• Replay of receipts
• Model hallucination

Mitigations: budgeting, isolation, ethics gate, citation enforcement.

Instant-RAG will never:

• spend beyond declared budget
• mix memories across tenants
• fabricate citations intentionally
• hide pricing from callers

Trust is a protocol, not a promise.