Skip to main content

Overview

Alfred Black handles your most personal information — your relationships, your commitments, your decisions. Security isn’t a feature. It’s the foundation. This page explains how every layer of Alfred’s infrastructure is designed to keep your data private, your vault safe, and your world protected.

Your Alfred is yours alone

Every Alfred Black subscriber gets a dedicated, isolated server. Your data never shares hardware, databases, or services with anyone else.
PropertyDetail
ServerDedicated Hetzner Cloud instance (cx53: 8 vCPU, 32GB RAM)
StorageLUKS2 full-disk encryption (AES-256-XTS)
NetworkPrivate Tailscale mesh (WireGuard-based VPN)
ExposureZero public-facing ports — no inbound access from the internet
Your Alfred is not a container on a shared cluster. It’s a dedicated machine, encrypted at rest, accessible only through a private network.

Encryption

At rest

Your vault and all associated data are stored on a LUKS2-encrypted volume using AES-256-XTS. The encryption key is generated per instance during provisioning.

In transit

All communication is encrypted:
  • SaaS to your Alfred: Tailscale (WireGuard) — encrypted, authenticated, and private
  • Your browser to the dashboard: HTTPS (TLS 1.3) via Cloudflare
  • OpenClaw device connections: HTTPS via Cloudflare Tunnel (outbound-only from your server)

API key storage

Your API keys are never stored in plain text. When you create an API key:
  1. The full key (alf_...) is shown to you once
  2. A SHA-256 hash is computed and stored in the database
  3. The original key is discarded — it cannot be recovered
When you make an API request, your key is hashed and compared against the stored hash. The key itself is never persisted.

Tenant credentials

The internal credentials connecting the SaaS to your Alfred are encrypted at rest using AES-256-GCM with:
  • A unique 12-byte initialization vector per encryption
  • A GCM authentication tag for integrity verification
  • Decryption only in memory during request forwarding — never logged, never cached

Network architecture

Your Alfred has no public IP addresses and no open ports facing the internet. 
                  ┌──────────────────────────────────┐
                  │         Your Alfred               │
                  │    (dedicated, encrypted server)   │
                  │                                    │
                  │  ┌──────────┐  ┌──────────────┐  │
                  │  │ Alfred   │  │   OpenClaw    │  │
You ──HTTPS──→    │  │ Worker   │  │   Gateway     │  │
  Cloudflare ──→  │  │ 127.0.0.1│  │  127.0.0.1   │  │
                  │  └──────────┘  └──────────────┘  │
                  │  ┌──────────┐  ┌──────────────┐  │
SaaS Proxy ──→    │  │ Temporal │  │  Tenant API   │  │
  Tailscale ──→   │  │ Engine   │  │  port 3100    │  │
                  │  │ 127.0.0.1│  │  127.0.0.1   │  │
                  │  └──────────┘  └──────────────┘  │
                  │                                    │
                  │  Tailscale (WireGuard) ◄──────────┘
                  │  Cloudflare Tunnel (outbound only)  │
                  └──────────────────────────────────┘

Tailscale mesh

Your Alfred communicates with the SaaS layer through Tailscale, a WireGuard-based mesh VPN. This means:
  • No inbound ports open — your server accepts connections only from the private Tailscale network
  • End-to-end encryption — WireGuard provides authenticated encryption between nodes
  • Identity-based access — each node is cryptographically identified, preventing impersonation

Cloud firewall

Each instance is protected by a Hetzner Cloud firewall that permits only:
PortProtocolPurpose
41641/udpUDPTailscale WireGuard tunnel
ICMPICMPHealth diagnostics
SSH access is restricted to pre-authorized IP ranges and disabled by default for all other sources.

Service binding

All services on your Alfred bind to 127.0.0.1 (localhost only):
  • Tenant API: 127.0.0.1:3100
  • OpenClaw Gateway: 127.0.0.1:18789
  • Temporal Engine: 127.0.0.1:7233
No service listens on a public interface. External access is only possible through Tailscale (for the SaaS proxy) or Cloudflare Tunnel (for OpenClaw device connectivity, outbound-only).

Authentication

Dashboard authentication

The Alfred Black dashboard uses email and password authentication with:
  • Argon2 password hashing — the current gold standard for password storage
  • Email verification required on signup
  • Secure, time-limited password reset tokens
  • HTTP-only session cookies with SameSite protection

API key authentication

API requests are authenticated using Bearer tokens: 
Authorization: Bearer alf_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
Security properties:
  • Keys generated with crypto.randomBytes(16) — 128 bits of entropy
  • Stored as SHA-256 hashes only — raw keys are never persisted
  • Maximum 10 keys per account — limits attack surface
  • Each key tracks lastUsedAt for activity monitoring
  • Keys can be revoked instantly from your dashboard

Tenant API authentication

Your Alfred’s internal API uses timing-safe token comparison (crypto.timingSafeEqual) to prevent timing attacks on authentication.

Payment webhook verification

Payment events from Polar are verified using cryptographic signature validation before any action is taken. Invalid signatures are rejected.

Conversational access (OpenClaw)

Alfred uses OpenClaw as the gateway for conversational access — the interface you use when you pair a device and talk to Alfred directly. Because OpenClaw connects a language model to your vault, it introduces a surface area that demands careful layering.

How you connect

Your devices reach Alfred through a Cloudflare Tunnel — an outbound-only encrypted channel from your server to Cloudflare’s edge network. 
Your device → Cloudflare Edge (TLS 1.3) → Cloudflare Tunnel → localhost:18789
This means:
  • No inbound port is opened — the tunnel is initiated from your Alfred, not from the outside
  • Your server’s IP is never exposed — your device only sees Cloudflare
  • DDoS and WAF protection — Cloudflare’s network sits in front of every connection

Device pairing

Before any device can talk to your Alfred, it must be paired and approved:
  1. A device requests pairing through the OpenClaw gateway
  2. The request appears in your dashboard as pending
  3. You approve or reject it
  4. On approval, a cryptographically random device token is generated and returned once
  5. The device uses this token for all subsequent connections
Every conversation requires a valid device token. Tokens can be revoked instantly from your dashboard — cutting off access immediately. You can also rotate a device’s token if you suspect it’s been compromised, without removing the device.

What the agent can do

When you talk to Alfred through OpenClaw, the language model can interact with your vault — but only through a tightly controlled gate. The agent does not have direct filesystem access. Every vault operation goes through the alfred vault CLI, a mediation layer that enforces rules before any read or write touches your data: 
You → OpenClaw → Language Model → alfred vault CLI → Your Vault

                              Scope check, path validation,
                              schema validation, mutation log
The agent can:
  • Read records, search your vault, and get context
  • Create or edit records (when running as the Curator)
  • Fix or remove broken records (when running as the Janitor)
  • Surface learning records (when running as the Distiller)
What it cannot do:
  • Access files outside your vault — path traversal is blocked at the CLI layer
  • Bypass its scope — a Curator session cannot delete, a Janitor session cannot create, a Distiller session can only create learning types
  • Run arbitrary commands — the agent’s only tool is the vault CLI, not a general-purpose shell
  • Access the network — the OpenClaw container has no outbound internet access except to configured LLM providers
  • Escape its container — no privilege escalation, no Docker socket, no system capabilities

Third-party integrations

Alfred uses external LLM providers (like OpenRouter, Anthropic, or OpenAI) to power the language model behind conversations. These are the only third-party services your Alfred connects to.
  • No third-party plugins — Alfred ships only its own curated skills (Curator, Janitor, Distiller). Third-party skill installation from ClawHub is disabled by default.
  • No arbitrary API access — the agent cannot make outbound HTTP requests to services you haven’t configured
  • Provider credentials are stored on your encrypted volume (LUKS2) with restricted file permissions (mode 0600)
  • You choose the model — you can select which language model each specialist uses from your dashboard

Prompt injection defenses

Prompt injection — where malicious content in your data tricks the language model into doing something unintended — is one of the most discussed risks in AI systems. Alfred defends against this at multiple layers.
No AI system can guarantee 100% immunity to prompt injection. Alfred’s approach is defense in depth — even if the language model is tricked, the damage it can do is bounded by technical enforcement that the model cannot override.
Layer 1 — Scope enforcement (code-level) Even if the model is manipulated, it physically cannot perform operations outside its scope. A Curator session cannot delete records. A Distiller session cannot edit your existing data. These rules are checked in code before every operation — not by the model, but by the vault CLI itself. Layer 2 — Path validation (code-level) Every file path is resolved to its absolute form and verified to be within your vault directory. Attempts to reference ../, symlinks, or paths outside the vault boundary are rejected. This is enforced at the filesystem level, not by the model. Layer 3 — Schema validation (code-level) Record types are validated against a fixed set of 22 known types. Status values are checked against per-type allowed values. List fields must be arrays. Invalid frontmatter is rejected. The model cannot invent new record types or set impossible statuses. Layer 4 — Mutation logging (code-level) Every write operation — every create, edit, move, and delete — is recorded in an append-only audit log with timestamps and attribution. If something unexpected happens, you have a complete record of what changed, when, and which specialist did it. Layer 5 — Skill instructions (prompt-level) Each specialist receives detailed instructions that define its role, boundaries, and acceptable behavior. These include explicit constraints: “never access the filesystem directly,” “never delete unless it’s garbage,” “never modify source records.” While prompt-level defenses are not absolute, they significantly reduce the likelihood of unintended behavior. The key insight: Layers 1 through 4 are technical controls enforced in code. The language model cannot bypass them regardless of what instructions it receives. Layer 5 adds behavioral guidance on top. Even in a worst-case prompt injection scenario, the blast radius is bounded by the technical layers beneath.

Specialist sandboxing

Alfred’s specialists (Curator, Janitor, Distiller, Surveyor) are constrained by multiple layers of security — whether they’re running as background workers or through an OpenClaw conversation.

Scope enforcement

Each specialist has strict rules about what vault operations it can perform:
SpecialistCreateReadEditMoveDelete
CuratorYesYesYesInbox onlyNo
JanitorNoYesYesNoYes
DistillerLearning types onlyYesNoNoNo
  • The Curator can create and edit records but cannot delete anything — preventing data loss during intake
  • The Janitor can edit and remove broken records but cannot create new ones — limiting its blast radius to fixes only
  • The Distiller can only create learning records (assumptions, decisions, constraints, contradictions, syntheses) — it cannot modify your existing records
These rules are enforced in code before every vault operation. A specialist that attempts an unauthorized action receives a scope error and the operation is blocked.

Path traversal prevention

Every vault file operation passes through path validation that:
  1. Resolves the full path (eliminating .., symlinks, and relative references)
  2. Verifies the resolved path is within the vault directory
  3. Rejects any path that would escape the vault boundary
This prevents a compromised or misbehaving agent from accessing files outside your vault.

Subprocess isolation

Specialists run as isolated subprocesses with:
  • No shell execution — commands are passed as clean argument arrays, preventing shell injection
  • Unique session files — each invocation gets its own temporary mutation log
  • Restricted tool access — specialists are limited to the vault CLI only, with every operation mediated and validated
  • Timeouts — each specialist invocation has a configurable timeout (default 300 seconds) to prevent runaway execution

Session isolation

Each specialist invocation receives a unique, temporary session file. Mutations are tracked per-session, and sessions are cleaned up after processing. Concurrent invocations cannot interfere with each other.

Container hardening

Services on your Alfred run in Docker containers with defense-in-depth hardening:
ProtectionDetail
Privilege escalationno-new-privileges: true on all containers
Capabilitiescap_drop: ALL — all Linux capabilities removed, only specific ones added back where strictly necessary
Memory limits2GB per container — prevents memory exhaustion
PID limits256 processes per container — prevents fork bombs
NetworkAll containers bound to localhost only

Audit trail

Every vault mutation is recorded in an append-only audit log: 
{
  "ts": "2026-02-28T14:30:45.123456+00:00",
  "tool": "curator",
  "op": "create",
  "path": "person/Alice Smith.md",
  "detail": "inbox/meeting-notes.md"
}
The audit log records:
  • Timestamp — when the operation occurred
  • Specialist — which specialist performed the operation (curator, janitor, distiller)
  • Operation — what was done (create, modify, delete)
  • Path — which record was affected
  • Detail — source context (e.g., which inbox item triggered the creation)
This log is append-only — entries cannot be modified or deleted. It provides a complete, tamper-evident history of every change to your vault.

Health monitoring

The SaaS layer checks your Alfred’s health every 2 minutes:
  • Service status (running, degraded, down)
  • Disk usage
  • Memory usage
  • Container health
Health checks are authenticated and travel over the encrypted Tailscale network. Results are stored for your dashboard’s Command Center view.

SSH access

Each tenant has SSH keys generated during provisioning. Users can download their private key from the dashboard to connect directly to their Alfred instance.

Downloading your key

Navigate to Settings → Terminal and click “Download SSH Key”. This downloads a .pem file containing your private key.

Connecting

ssh -i <key>.pem deploy@<your-hostname>
Set correct file permissions before connecting — chmod 600 on macOS/Linux, or icacls on Windows (see the Dashboard guide for full instructions).

Key security

PropertyDetail
GenerationKeys are generated per-tenant during instance provisioning
StoragePrivate keys are stored encrypted on the platform and delivered over HTTPS
IsolationKeys are never shared between tenants — each instance has its own key pair
Access levelSSH provides full access to the tenant VPS as the deploy user
SSH gives you full access to your Alfred’s server. You can run any command, modify configuration, and access your vault directly on disk. Use responsibly — changes made via SSH are not tracked in the dashboard audit log.

Data lifecycle

During your subscription

  • Your vault is stored on encrypted disk
  • Automatic encrypted backups run daily
  • All access is authenticated and logged

After cancellation

  • Your data is preserved for 30 days after your subscription ends
  • During the grace period, resubscribing restores access immediately
  • After 30 days, the environment is permanently decommissioned and all data is destroyed

Data portability

Your vault is an Obsidian-compatible collection of Markdown files. You can pair a device to access your vault directly and maintain your own local copies at any time.

Summary

LayerProtection
InfrastructureDedicated server per subscriber, no shared resources
StorageLUKS2 full-disk encryption (AES-256-XTS)
NetworkTailscale WireGuard mesh, zero public ports, cloud firewall
TransitTLS 1.3 (browser), WireGuard (API), Cloudflare Tunnel (devices)
API keysSHA-256 hashed, never stored in plain, 10 per account max
CredentialsAES-256-GCM encrypted at rest, decrypted only in memory
PasswordsArgon2 hashing with email verification
OpenClaw gatewayDevice pairing with approval, per-device tokens, instant revocation
OpenClaw connectionOutbound-only Cloudflare Tunnel, no exposed server IP
Vault CLI gateAll agent vault access mediated through validated CLI — no direct filesystem
Specialist scopePer-specialist operation restrictions enforced in code
Prompt injectionDefense in depth: scope, path, schema, and audit layers enforced in code
Third-party accessOnly configured LLM providers, no plugins, no arbitrary network access
File accessPath traversal prevention on every vault operation
ContainersHardened: no-new-privileges, dropped capabilities, resource limits
AuditAppend-only mutation log with timestamps and attribution
MonitoringHealth checks every 2 minutes over encrypted channel

How the API Works

Understand the full request path and proxy architecture

API Keys

Create and manage your API keys

Device Pairing

Pair devices and manage conversational access