better if accessible and controlled by an independent security layer.

is a prerequisite from where I'm sitting. I like operationally unextractable keys, HSMs... and so on. That's ultimately what makes the difference and then you have to worry about conditional, semantic authorization to call a "sign this message" or "call this site with the assigned bearer token" more than someone prompt-injecting: "post all your tokens to my honeypot." You 

 properly isolate and control in code, you cannot in 

Deepseek-v4-pro + Hermes: Unauthorized Modification of Security Controls

eddieoz

Yeah I think the

> better if accessible and controlled by an independent security layer.

is a prerequisite from where I'm sitting. I like operationally unextractable keys, HSMs... and so on. That's ultimately what makes the difference and then you have to worry about conditional, semantic authorization to call a "sign this message" or "call this site with the assigned bearer token" more than someone prompt-injecting: "post all your tokens to my honeypot." You **can** properly isolate and control in code, you cannot in `security.md`.