ArcLink Operating Policy
Last updated: June 2026
Security and secrets
ArcLink never intentionally exposes raw secrets in dashboard responses, public chat replies, logs, or Academy artifacts. Browser mutations use sessions and CSRF checks, credential handoffs are masked, and high-risk operator actions require explicit confirmation.
Privacy and public lanes
Raven routes onboarding, support, and control messages. Captain-owned Agent state stays scoped to that Captain, their ArcPods, approved brokered APIs, and accepted shares. Public Academy lanes store only redacted, derived notes; private strategy and personal data do not become shared material.
Academy crawling
Academy continuing education can crawl approved public source URLs on a weekly cadence. Crawls respect source permissions, HTTPS transport, robots policy, rate limits, and third-party terms. ArcLink records metadata and content hashes, not raw pages, and changed or unsafe sources must pass review before Agent updates.
Operator controls
- Read-only previews and diagnostics should be available before risky work is queued.
- Upgrades, rollouts, repairs, and admin actions require verified operator identity plus confirm=true or an approval code.
- Actions are audited and should fail closed when proof, scope, or worker readiness is missing.
Dashboard access
User and admin sessions are separate. Admin access is role, CSRF, and network-scope protected. Hermes Agent dashboards use signed expiring session or SSO cookies; Drive, Code, Terminal, and dashboard access should not rely on browser-facing Basic Auth.
Shared folders
Accepted Drive and Code shared folders are projected into Linked roots with read/write access by default. Shared folders cannot be reshared, and destructive or ownership-changing operations must remain confirmation-aware.