Security FAQ
Security questions — credential handling, spend caps on chain, auditability, signed envelopes, and how to report a vulnerability.
MCP server credentials are $env:NAME references resolved from the executor's environment at spawn time. Literal secrets in a manifest are forbidden — manifests are content-addressed and may be shared or journaled.
Two gates: a per-call ceiling (PAXEER_SPEND_CAP_WEI) enforced at plan time before any side effect, and the Paxeer Embedded Wallet's own spend policy at signing time. Without wallet auth, chain access is read-only.
Yes. Every lifecycle transition is an ed25519-signed envelope, every step journals a cortex Event, and the append-only journal can rebuild all derived state byte-identically. Outcomes are attested with the memories they cited.
Tools must be declared (exhaustively) in the agent manifest and granted by the skill's §TOOLS allowlist. URIs are version-pinned, and the capability gate enforces side-effect classes against allowed_side_effects.
Follow SECURITY.md in the repository for coordinated disclosure — do not open a public issue or PR with exploit details.