Current version: V1.5.43
Contact: 𝕏 @RaccoonStampede · @Prosperous727
ARCHITECT is a browser-based research tool that runs entirely client-side. The standard artifact version has no server, no database, and no authentication layer. A Vercel deployment path exists (documented in GITHUB_SETUP.md) which adds a backend proxy route — the security scope expands in that configuration.
In scope:
- API key handling (how your Anthropic key is stored and transmitted)
window.storage/localStorageusage (hpdl_config, hpdl_data keys)- XSS vectors in the React render layer
- Prompt injection via Custom Rails or pipe injection content
- Framework mode disclosure (κ=0.444 vs κ=0.500 choice at first run)
- Vercel proxy route security (if deploying externally)
Out of scope (artifact version):
- Server-side vulnerabilities (no server)
- Authentication bypass (no authentication)
- Server-side data breaches (no user data stored server-side)
ARCHITECT requires an Anthropic API key to make API calls. The key is:
- Stored only in React state (in-memory) during the session
- Never logged, exported, or transmitted anywhere except directly to
api.anthropic.com(or your Vercel proxy route) - Cleared when the artifact or browser tab is closed
- Never written to
window.storageorlocalStorage
Recommendation: Use a restricted Anthropic API key with a spending limit for use with any browser-based tool.
ARCHITECT persists two keys to window.storage (artifact) or localStorage (Vercel):
| Key | Contents |
|---|---|
hpdl_config |
Settings, feature toggles, math constants, framework mode choice (Hudson/Standard), Advanced tab state |
hpdl_data |
Coherence scores, event log, RAG cache, Kalman state, bookmarks |
Neither key contains conversation content, API keys, or personal data. Session data stored here is mathematical metrics only.
Custom Rails (Advanced tab): User-defined text injected into every system prompt. This is intentional and disclosed — users write this themselves. However, if you are building on top of ARCHITECT and accepting Custom Rails input from untrusted sources, you should sanitize that input before it reaches the system prompt.
Pipe injection: ARCHITECT automatically injects coherence state into system prompts. This content is generated by the tool itself (scores, variance, directives) and does not include user conversation content.
ARCHITECT discloses its framework constants (κ=0.444, RESONANCE_ANCHOR=623.81 Hz)
to users at first run via a choice modal. Users can select Hudson Framework or
Standard Mode. This disclosure is logged to hpdl_config. No security concern
— noted here for completeness.
If deploying ARCHITECT on Vercel with the backend proxy route:
- Store your Anthropic API key as a Vercel environment variable, never in client code
- The proxy route must validate requests before forwarding to the Anthropic API
- Rate limiting on the proxy route is strongly recommended
- Do not expose the proxy endpoint publicly without authentication
If you find a security issue, please report it privately before opening a public issue.
Contact via 𝕏 DM: @RaccoonStampede or @Prosperous727
Please include: description of the vulnerability, steps to reproduce, potential impact, and your suggested fix if you have one.
We will acknowledge within 48 hours and aim to patch within 7 days for critical issues.
This is an experimental R&D tool. We make no security guarantees beyond reasonable care in the areas listed above. See LICENSE for the full disclaimer and limitation of liability.