Securing the Squid AI Agent
Use the @secureAiChatbot decorator to designate a funciton as securing a given agent.
Securing your data is vital when using the Squid Client to create profiles and enable chatting. The AI agent's profiles and the chats conducted with them can contain sensitive information, so it's crucial to restrict access and updates to prevent unauthorized usage or modification.
Unless an AI agent profile has been set to public, access will be restricted by default and won't work without explicit rules that set access permissions. (Feel free to try it!)
Squid provides a @secureAiChatbot decorator that you can use to set security rules. These rules prevent unauthorized users from updating profiles or conducting unauthorized chats, protecting the integrity of your data.
Before trying to secure the AI agent, make sure the public setting of the profile you want to secure is toggled to OFF and that you've set up your backend, as this will be required to set security rules for your AI agent.
Securing chats
To manage chat permissions, use the @secureAiChatbot decorator. To open up chat for all users, add the following to your backend:
import { secureAiChatbot, SquidService } from '@squidcloud/backend';
export class ExampleService extends SquidService {
@secureAiChatbot('INTEGRATION_ID', 'chat') // Replace INTEGRATION_ID with your AI agent integration ID
allowChat(): boolean {
return true;
}
}
To restrict chat only to authenticated users, use the Squid backend's isAuthenticated() method. This method returns a boolean indicating whether the client attempting to take an action is authenticated.
@secureAiChatbot('INTEGRATION_ID', 'chat')
allowChat(): boolean {
return this.isAuthenticated();
}
To secure a specific AI agent profile, add the AI agent's profile ID to the end of the parameters in the @secureAiChatbot decorator:
@secureAiChatbot('INTEGRATION_ID', 'chat', 'PROFILE_ID')
Securing profiles
While you may want to allow clients to chat with your AI agent, you most likely do not want them to take actions that make changes to its instructions or context. Instead, you should manage your AI agent profiles in the Squid Backend or the Squid Console.
To prevent profile mutations, you can add the following security function to your Squid Backend:
@secureAiChatbot('INTEGRATION_ID', 'mutate')
allowMutations(): boolean {
return false;
}
To secure a specific AI agent profile, you can add the AI agent's profile ID to the decorator:
@secureAiChatbot('INTEGRATION_ID', 'mutate', 'PROFILE_ID')
There may be some cases where you want to allow profile management from the client. For example, you might want to dynamically build a profile for each user. In that case, you can customize your AI agent's security function using the AiChatbotMutationContext as shown in the following example:
import { secureAiChatbot, SquidService, AiChatbotMutationContext } from '@squidcloud/backend';
@secureAiChatbot('INTEGRATION_ID', 'mutate')
async allowMutations(context: AiChatbotMutationContext): Promise<boolean> {
const userId = this.getUserAuth()?.userId;
if (context.profileId !== userId) return false;
if (context.resource === 'instruction') {
// Do not let users modify instructions.
return false;
} else if (context.resource === 'context') {
// Allow users to insert context.
return context.type === 'insert';
} else if (context.resource === 'profile') {
// Allow users to insert a profile, since we've verified the profileId matches the userId.
return context.type === 'insert';
}
return false;
}