Privacy contract

This is the non-negotiable part. If it's violated, Sable's whole reason to exist evaporates.

What we do

• Seal prompts on ingress. AES-256-GCM with a master key the moment the request hits the gateway. The plaintext window lives only between the egress shim and the upstream call — never on disk, never in logs.
• Log metadata only. Inference logs hold model id, node id, token counts, latency, and status. Nothing else.
• Hash API keys. Argon2id, with only a 20-char prefix kept in the clear for UI labeling.
• Authenticate dashboard sessions via SIWE. No email + password store to breach.

What we will never do

• Store, log, or echo prompt content.
• Store, log, or echo completion content.
• Inspect inflight requests for "policy" reasons.
• Sell or share usage metadata to anyone, ever.

How to verify

The whole gateway is open source. Audit sable-api/src/routes/chat.rs and sable-api/src/crypto/mod.rs — the privacy-critical paths are short by design. Phase 2 layers TEE attestation on top so you can verify the runtime, not just the source.