Security guidelines for identity separation, data protection, and AI agent isolation.
- Corporate data: Work systems, client data, Nestlé compliance obligations
- Personal data: Banking, email, social accounts, family info
- Studio data: Project code, research, API keys, experiment results
- Credentials: Passwords, API keys, SSH keys, tokens
- Data leakage: Personal/corporate data sent to third-party LLMs
- Credential compromise: API keys stolen from config files or logs
- Prompt injection: Malicious inputs causing unintended AI actions
- Cross-contamination: Studio compromise affecting personal or work systems
- Supply chain: Compromised MCP servers or n8n workflows
See sections below.
Use for:
- Employer systems only
- M365, Teams, corporate VPN
- MDM-managed laptop
Never use for:
- Studio projects
- Side projects
- Personal AI tools
Devices: Work laptop only, separate browser profile
Use for:
- Personal email, banking, social media
- Family and friend communications
- Personal shopping and services
Never use for:
- Studio projects (except billing/payment)
- Work systems
Devices: Personal laptop/phone, separate browser profile
Create:
- Email:
you@yourstudio.com(custom domain) - GitHub org:
your-studio - Accounts: Perplexity, Claude, NotebookLM, n8n, etc.
Use for:
- All HeliOS Studio work
- AI R&D projects
- Open-source contributions under studio brand
Devices: Studio VM or dedicated workstation, separate browser profile
Benefits:
- Clear legal/commercial separation
- Blast radius containment
- Professional branding
- Honest attribution (not anonymous)
┌─────────────────┐
│ Work Laptop │ Corporate domain, MDM, VPN to work
│ (Corporate ID) │ NEVER used for studio
└─────────────────┘
┌─────────────────┐
│ Personal Laptop │ Personal email, banking, social
│ (Personal ID) │ NEVER used for studio (except billing)
└─────────────────┘
┌─────────────────┐
│ Studio VM │ Proxmox VM, studio identity only
│ (Studio ID) │ Cursor, Claude Desktop, NotebookLM browser
└────────┬────────┘
│
↓ (studio VLAN)
┌────────────────────────────────┐
│ Homelab Services │
│ • Ollama (AI Core VM) │
│ • n8n (Automation Hub VM) │
│ • GitHub Runners │
│ • Monitoring │
└────────────────────────────────┘
Studio VLAN (e.g. 10.100.0.0/24):
- Studio VM
- AI Core VM (Ollama)
- Automation Hub VM (n8n)
- GitHub self-hosted runners
Firewall rules:
- Studio VLAN → Internet: Allow (outbound only)
- Studio VLAN → Corporate VLAN: DENY
- Studio VLAN → Personal devices: DENY
- Management subnet → Studio VLAN: Allow (for admin)
Create separate profiles in Chrome/Firefox/Edge:
- Corp Profile: Work email, M365, Teams
- Personal Profile: Personal email, banking, social
- Studio Profile: Studio email, GitHub studio org, AI tools
Never cross-login between profiles.
Use: Each profile has its own cookies, cache, extensions, and bookmarks.
Setup:
- Use 1Password, Bitwarden, or similar with separate vaults:
CorporatevaultPersonalvaultStudiovault
Rules:
- Unique password for every account
- 20+ character random passwords
- MFA enabled everywhere possible
Never:
- Commit to Git (even private repos)
- Store in plaintext config files
- Log to stdout/stderr
- Pass via URL parameters
Best practices:
# .env (gitignored)
CLAUDE_API_KEY=sk-ant-...
GITHUB_TOKEN=ghp_...import os
from dotenv import load_dotenv
load_dotenv()
api_key = os.getenv("CLAUDE_API_KEY")version: '3.8'
services:
app:
image: myapp
secrets:
- claude_key
secrets:
claude_key:
file: ./secrets/claude_key.txtwith open('/run/secrets/claude_key') as f:
api_key = f.read().strip()# Store
vault kv put secret/studio/claude api_key=sk-ant-...
# Retrieve
vault kv get -field=api_key secret/studio/claude# .github/workflows/deploy.yml
steps:
- name: Deploy
env:
CLAUDE_KEY: ${{ secrets.CLAUDE_API_KEY }}
run: ./deploy.sh- Rotate all API keys quarterly
- Immediately rotate if:
- Key appears in logs
- Team member leaves
- Suspicious activity detected
✅ Public documentation
✅ Open-source code
✅ Your own non-sensitive notes
✅ Anonymized/synthetic test data
✅ General technical questions
❌ Corporate data (emails, docs, code, configs)
❌ Client data
❌ PII (names, emails, addresses, phone numbers)
❌ PHI/PCI (health, payment card data)
❌ Secrets (passwords, API keys, tokens)
❌ Private network topology or configs
Rule: If you wouldn't post it on a public blog, use local LLMs or redact before cloud LLMs.
Each MCP server should have minimal access to resources.
Sandbox: Only /workspace/helios-studio directory
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"-y",
"@modelcontextprotocol/server-filesystem",
"/home/user/workspace/helios-studio"
]
}
}
}Never: Give access to /, ~, or sensitive directories like ~/.ssh, ~/.aws
Fine-grained token: Scoped to studio org only
Permissions:
- Contents: Read and write (specific repos only)
- Issues: Read and write
- Pull requests: Read and write
- Metadata: Read-only
Never: Use personal access token (classic) with full repo access
Run in containers:
services:
mcp-n8n:
build: ./mcp-servers/n8n
read_only: true
networks:
- mcp_net
environment:
- N8N_URL=http://n8n:5678
secrets:
- n8n_api_keyIsolate: No direct internet access; communicate via internal network only
Input validation:
- Allowlist expected commands/patterns
- Reject inputs with suspicious tokens (e.g., "ignore previous instructions")
- Sanitize file paths and shell commands
Output filtering:
- Block responses containing secrets (regex for API keys, tokens)
- Redact PII before logging
Tool restrictions:
- Define explicit tool allowlists per agent
- Require human approval for high-risk actions:
- Delete operations
- Public deployments
- External API calls
Example (n8n workflow):
[User Input] → [Validation Node] → [Claude API] → [Output Filter] → [Action]
↓ reject ↓ sanitize
[Log & Alert] [Log & Alert]
Log all AI actions:
- Prompts sent (redact secrets)
- Tool calls made
- Files accessed/modified
- API endpoints hit
- User who triggered
Centralize logs:
- Ship to ELK/Loki/Grafana Loki
- Retention: 90 days minimum
- Alerting on anomalies:
- Unusual file access patterns
- Off-hours API calls
- High token usage
- Failed authentication attempts
Per-agent limits:
- Max API calls per hour: 100
- Max tokens per day: 500k
- Max file writes per hour: 50
Circuit breaker: Halt agent on repeated errors or limit breaches
- Immediately: Revoke key in provider dashboard
- Rotate to new key
- Update all references (repos, n8n workflows, env files)
- Review logs for unauthorized usage
- Assess impact (data accessed, costs incurred)
- Document in incident log
- Isolate: Disconnect studio VM/VLAN from network
- Rotate all credentials (GitHub tokens, API keys, passwords)
- Review:
- Git history for unauthorized commits
- Recent GitHub Actions runs
- n8n workflow execution logs
- MCP server logs
- Rebuild affected VMs from clean snapshots
- Re-enable after full review
- Document: What data, which LLM provider, when
- Assess risk:
- PII? Report to GDPR/privacy team if required
- Corporate? Report to IT/legal
- Secrets? Follow key compromise process
- Contact LLM provider to request data deletion (per their policies)
- Update data handling procedures to prevent recurrence
- Do NOT send PII to third-party LLMs without explicit consent and DPA
- Use local LLMs for any EU personal data processing
- Maintain data processing records
- Zero corporate data in studio systems
- Studio identity must be clearly distinct from corporate identity
- No studio work on corporate devices or networks
- Studio identity created (email, GitHub org)
- Separate browser profiles configured
- Studio VM deployed on isolated VLAN
- Firewall rules: studio ↛ corporate, studio ↛ personal
- Password manager with separate studio vault
- MFA enabled on all studio accounts
- GitHub fine-grained tokens created (not classic PATs)
- MCP servers sandboxed (filesystem, GitHub)
- API keys stored in vault/secrets manager, not code
- Data classification policy followed (no PII/corporate data to cloud LLMs)
- All AI actions logged centrally
- Rate limits configured on agents
- Weekly review of logs for anomalies
- Quarterly credential rotation
- See SECURE_BY_DESIGN_RECOMMENDATIONS.md for prioritized hardening actions and implementation backlog.
- See HARDWARE.md for workstation and homelab specs.