Add Tech Notes section under Enterprise with LLM key protection article#484
Draft
jpshackelford wants to merge 6 commits intomainfrom
Draft
Add Tech Notes section under Enterprise with LLM key protection article#484jpshackelford wants to merge 6 commits intomainfrom
jpshackelford wants to merge 6 commits intomainfrom
Conversation
- Create new Tech Notes subsection under Enterprise tab - Add index page explaining the purpose of Tech Notes - Add first tech note: LLM API Key Protection - Explains how LLM keys are protected from agent access - Covers SESSION_API_KEY stripping, secret masking, and container isolation - Includes code examples and security test references
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
- Add D2 source file for architecture diagram - Generate clean SVG using D2 diagramming tool - Update markdown to use Frame component with SVG image
- Add 'Understanding Controlled: LLM vs Agent Access' subsection - Update BYOK table to show both LLM and Agent exposure - Make explicit that registered secrets are fully accessible to agent by design - Clarify that output masking protects conversation history, not agent access Co-authored-by: openhands <openhands@all-hands.dev>
- Explain how master API keys are configured (SaaS vs Enterprise) - Describe virtual key generation per Organization/Personal Workspace - Clarify BYOK scenarios and when LiteLLM proxy is involved - Show that virtual keys cannot be used directly with provider APIs Co-authored-by: openhands <openhands@all-hands.dev>
- Explain that users can instruct agent to write secrets to files - Note that once on disk, values could be read and transmitted - Emphasize security protects secrets from LLM, not from the user who stored them Co-authored-by: openhands <openhands@all-hands.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds a new "Tech Notes" subsection under the Enterprise tab, providing in-depth technical articles for security teams, platform engineers, and developers who want to understand how OpenHands works under the hood.
Changes
New Section: Tech Notes
enterprise/tech-notes/directorydocs.json(appears last in sidebar)First Tech Note: LLM API Key Protection
A comprehensive technical article explaining how OpenHands protects LLM API keys from agent access and exfiltration. Covers:
SESSION_API_KEYstripping viasanitized_env()LookupSecretfor dynamic token fetchingFiles Changed
docs.jsonenterprise/tech-notes/index.mdxenterprise/tech-notes/llm-key-protection.mdxPreview
The Tech Notes section will appear at the bottom of the Enterprise sidebar:
This PR was created by an AI agent (OpenHands) on behalf of the user.
@jpshackelford can click here to continue refining the PR