self-hosted · redaction local · audit hash-chained
v0.3.0 · apache-2.0 · go 1.26
sphragis

Security posture

Security

Sphragis is built so that the sensitive part of your workload never leaves your machine. This page states plainly what that means and how to reach us about a vulnerability.

Where your data lives

  • Redaction is local. PII and secrets are tokenized in-process, before any byte is forwarded upstream.
  • Output is redacted too. Model responses, JSON and streamed SSE, are scanned in-process before they reach your app, so PII the model emits never lands in your code or logs.
  • The audit log is local. It is an append-only, hash-chained file on your own disk. It stores a SHA-256 of the redacted payload and metadata, never raw prompt content.
  • No SaaS in the data path. Sphragis is a self-hosted binary. There is no Sphragis-operated service that your prompts pass through.
  • Fails closed. If the audit write fails, the gateway refuses to forward the call rather than lose the record.
  • Reversible tokens stay sealed and local. The optional vault that maps tokens back to their originals is encrypted at rest with AES-256-GCM and never leaves the machine. With no key set, no originals are stored at all.

What can leave your network

  • The redacted request, to the upstream LLM provider you configured (and only there).
  • If you opt into anchoring, an opaque Merkle root to public OpenTimestamps calendars. It reveals nothing about the log's contents.
That is the entire egress surface. No telemetry, no phone-home, no license check. Nothing in the open-source project requires a key or contacts us.

Tamper-evidence

Every record is chained to the previous one by hash. Altering, reordering or dropping any entry breaks verification. sphragis verify replays the chain, checks every link and per-record hash, and prints the Merkle root. sphragis anchor can timestamp that root publicly so you can later prove the log existed at a point in time.

Supply chain

  • Single statically-linked Go binary; reproducible builds via GoReleaser on tag push.
  • Release artifacts ship with checksums; CI runs govulncheck, linting and CodeQL.
  • GitHub Actions are pinned to commit SHAs and run under a hardened runner.

Reporting a vulnerability

Please report security issues privately rather than in a public issue. See the security policy in the repository for the current disclosure process and contact.