agent-code 0.5.2

An AI-powered coding agent for the terminal, written in pure Rust
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 0.1.x   | Yes       |

## Reporting a Vulnerability

If you discover a security vulnerability in agent-code, please report it responsibly.

**Do not open a public GitHub issue for security vulnerabilities.**

Instead, email **security@avala.ai** with:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Suggested fix (if any)

We will acknowledge your report within 48 hours and provide a timeline for a fix within 5 business days.

## Security Model

agent-code executes shell commands and modifies files on behalf of the user. The security model is designed to prevent the AI agent from taking actions the user hasn't approved.

### Permission System

Every tool call passes through a permission check before execution:

- **Ask mode** (default): prompts the user before mutations
- **Allow mode**: auto-approves all operations
- **Deny mode**: blocks all mutations
- **Plan mode**: restricts to read-only tools

Configure per-tool rules in `.agent/settings.toml`:

```toml
[permissions]
default_mode = "ask"

[[permissions.rules]]
tool = "Bash"
pattern = "git *"
action = "allow"

[[permissions.rules]]
tool = "Bash"
pattern = "rm *"
action = "deny"
```

### Bash Sandbox

The Bash tool includes built-in safety checks:

- **Destructive command detection**: warns before `rm -rf`, `git reset --hard`, `DROP TABLE`, and similar commands
- **System path blocking**: prevents writes to `/etc`, `/usr`, `/bin`, `/sbin`, `/boot`, `/sys`, `/proc`
- **Output truncation**: large outputs are persisted to disk instead of flooding the context

### API Key Handling

- API keys are never written to config files (use environment variables)
- Keys are never logged or included in error messages
- Keys are passed to subagent processes via environment only

### MCP Server Security

- MCP servers run as subprocesses with the user's permissions
- Server connections are local only (stdio or localhost HTTP)
- Each server's tools are namespaced to prevent collisions

### Data Handling

- No telemetry is collected or transmitted
- Session data is stored locally in `~/.config/agent-code/`
- Conversation history never leaves the machine except for LLM API calls
- Tool result persistence is local only (`~/.cache/agent-code/`)

## Threat Model

### In scope

- Agent executing unintended destructive commands
- Prompt injection via tool results or file contents
- API key leakage through logs or error messages
- MCP server executing malicious tools

### Out of scope

- Security of the LLM API endpoint itself
- Security of the user's local machine beyond what agent-code touches
- Attacks requiring physical access to the machine
- Social engineering of the user