# AI security constraints

Security constraints for assistants generating or reviewing `@beblurt/dblurt` code.

Canonical human guides:

- `../guide/broadcast.md`
- `../guide/crypto.md`
- `../guide/browser.md`
- `../guide/security-guide.md`
- `../architecture/SECURITY_ARCHITECTURE.md`

## Private keys

Never hard-code private keys, memo keys, active keys, posting keys or owner keys.

Use environment variables or explicit placeholders:

```js
const postingKey = process.env.BLURT_POSTING_KEY;
if (!postingKey) {
    throw new Error('Set BLURT_POSTING_KEY before signing');
}
```

## Authorities

- Posting authority is normally used for social actions such as votes/comments.
- Active authority is required for higher-risk actions such as transfers.
- Owner authority is highly sensitive and should not appear in normal examples.
- Memo keys are for memo encryption/decryption, not transaction authority.

Confirm exact authority requirements with `../guide/broadcast.md` or source/tests before generating action examples.

## Read-only first

For learning flows, generate read-only RPC examples first.

Broadcasting examples must be explicit about:

- required authority;
- environment variables;
- account names;
- irreversible side effects;
- validation performed or not performed.

## Browser safety

Browser applications must not silently embed private keys.
Prefer wallet/user-controlled flows or clearly marked secure input flows.
Warn about XSS and supply-chain risk when browser code signs transactions.


