---
title: Security FAQ
description: "Security questions — credential handling, spend caps on chain, auditability, signed envelopes, and how to report a vulnerability."
---

> **For AI agents:** the complete documentation index is at [llms.txt](/llms.txt). Append `.md` to any page URL for its markdown version.

<AccordionGroup>
  <Accordion title="How are credentials handled?">
    MCP server credentials are `$env:NAME` references resolved from the executor's environment at spawn time. Literal secrets in a manifest are forbidden — manifests are content-addressed and may be shared or journaled.
  </Accordion>
  <Accordion title="What stops an agent from overspending on chain?">
    Two gates: a per-call ceiling (`PAXEER_SPEND_CAP_WEI`) enforced at plan time before any side effect, and the Paxeer Embedded Wallet's own spend policy at signing time. Without wallet auth, chain access is read-only.
  </Accordion>
  <Accordion title="Is execution auditable?">
    Yes. Every lifecycle transition is an ed25519-signed envelope, every step journals a cortex Event, and the append-only journal can rebuild all derived state byte-identically. Outcomes are attested with the memories they cited.
  </Accordion>
  <Accordion title="How is tool access constrained?">
    Tools must be declared (exhaustively) in the agent manifest and granted by the skill's `§TOOLS` allowlist. URIs are version-pinned, and the capability gate enforces side-effect classes against `allowed_side_effects`.
  </Accordion>
  <Accordion title="How do I report a vulnerability?">
    Follow `SECURITY.md` in the repository for coordinated disclosure — do not open a public issue or PR with exploit details.
  </Accordion>
</AccordionGroup>