Jarvis defines protocol security requirements. Hosts own implementation security.
Jarvis owns:
- required protocol headers
- Actor identity references
- Actor authority checks
- WorkSession revision checks
- previous event hash checks
- idempotency requirements
- request timestamp requirements
- host-private export exclusions
- protocol error envelope
Hosts own:
- identity provider
- authentication backend
- authorization backend
- credential storage
- network security
- runtime isolation
- model execution
- tool execution
- storage security
- deployment security
- monitoring and incident response
Report protocol security issues through GitHub Security Advisories: https://github.com/Flow-Research/jarvis/security/advisories/new.
Do not open a public issue for a vulnerability that exposes credentials, private keys, private records, or exploitable security details.
Current security support covers Jarvis v0.1 protocol text, OpenAPI binding, conformance fixtures, validators, and public examples.
Jarvis v0.1 does not provide long-term support, implementation security certification, host certification, or production-adoption guarantees.
Every WorkSession-scoped mutating operation requires:
Jarvis-Protocol-Version
Jarvis-Actor-Id
Jarvis-Idempotency-Key
Jarvis-Request-Timestamp
Jarvis-Expected-WorkSession-Revision
Jarvis-Previous-Event-HashEvery non-WorkSession protocol mutation requires:
Jarvis-Protocol-Version
Jarvis-Actor-Id
Jarvis-Idempotency-Key
Jarvis-Request-TimestampEvery EvidenceManifest export excludes host-private fields, credentials, secrets, raw runtime state, host-only database ids, deployment details, billing data, private scores, UI state, raw auth tokens, provider secrets, session cookies, and private keys.