Battle-tested by 1500+ hackers โ 0 secrets leaked, 0 downtime.
Defense in Depth โ multiple independent layers of protection. If one fails, others still hold.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SECURITY ARCHITECTURE โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ Layer 1: ACCESS CONTROL โ
โ โโ DM Policy (admin/allowlist/pairing/public) โ
โ โโ User authentication โ
โ โโ Rate limiting โ
โ โ
โ Layer 2: INPUT VALIDATION โ
โ โโ 247 blocked command patterns โ
โ โโ 19 prompt injection patterns โ
โ โโ Request sanitization โ
โ โ
โ Layer 3: SANDBOX ISOLATION โ
โ โโ Docker container per user โ
โ โโ Resource limits (512MB, 50% CPU, 100 PIDs) โ
โ โโ Network isolation โ
โ โ
โ Layer 4: SECRETS PROTECTION โ
โ โโ Proxy architecture (agent has 0 secrets) โ
โ โโ Docker secrets (not env vars) โ
โ โโ No secrets in filesystem โ
โ โ
โ Layer 5: OUTPUT SANITIZATION โ
โ โโ Secret pattern detection โ
โ โโ Base64/hex encoding detection โ
โ โโ Automatic redaction โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ ACCESS CONTROL โ
โ admin โ allowlist โ pairing โ
โฐโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฏ
โ
โญโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโฎ
โ INPUT VALIDATION โ
โ 19 injection โ 247 blocked โ
โฐโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโฏ
โ
โญโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฎ
โ โ โ
โผ โผ โผ
โญโโโโโโโโโโฎ โญโโโโโโโโโโโโโโโโโโฎ โญโโโโโโโโโโฎ
โ SECRETS โ โ AGENT โ โ OUTPUT โ
โ (proxy) โโโโโโโโโโโโโโโถโ ReAct Loop โโโโโโโโโโโโโโโถโ FILTER โ
โ โ 0 secrets โ Tool Executor โ sanitized โ โ
โฐโโโโโโโโโโฏ โฐโโโโโโโโโฌโโโโโโโโโฏ โฐโโโโโโโโโโฏ
โ
โญโโโโโโโโโผโโโโโโโโโฎ
โ SANDBOX โ
โ per-user โ
โ 512MB โ 50%CPU โ
โฐโโโโโโโโโโโโโโโโโโฏ
| Mode | Description | Use Case |
|---|---|---|
admin |
Only admin can use | Development, testing |
allowlist |
Admin + specific users | Private team |
pairing |
Users request access with code | Controlled growth |
public |
Anyone can use | Public service ( |
ACCESS_MODE=admin # admin, allowlist, public, pairing
ADMIN_USER_ID=809532582 # Your Telegram user ID
ALLOWED_USERS=123,456,789 # Comma-separated user IDs (for allowlist mode)/access # Show current access status
/access_mode admin # Change mode
/approve ABC123 # Approve pairing code
/revoke 123456789 # Revoke user access
/allow 123456789 # Add to allowlistCommands are blocked before execution:
| Category | Count | Examples |
|---|---|---|
env_leak |
15 | env, printenv, /proc/self/environ |
docker_secrets |
2 | /run/secrets/* |
exfiltration |
25 | curl -d, base64, xxd, nc |
sensitive_files |
12 | .env, .ssh/, id_rsa |
dos |
30 | fork bombs, yes, huge allocations |
reverse_shell |
15 | bash -i, nc -e, /dev/tcp |
code_execution |
20 | eval, exec(), LD_PRELOAD |
filter_bypass |
15 | $IFS, hex encoding, backticks |
escape |
20 | symlinks, /proc/*/fd, nsenter |
privilege |
5 | sudo, apt-get, setcap |
crypto_mining |
5 | xmrig, stratum+tcp:// |
cross_user |
8 | ls /workspace, cd .. |
| Other | 75 | Various attack patterns |
Edit core/src/approvals/blocked-patterns.json:
{
"id": "new-attack-1",
"category": "exfiltration",
"pattern": "new_attack_regex",
"flags": "i",
"reason": "BLOCKED: Description of why"
}| Pattern Type | Examples |
|---|---|
| Instruction Override | "forget all instructions", "ignore previous" |
| Fake System Messages | [system], [admin], [developer] |
| Mode Switching | "DAN mode", "developer mode", "jailbreak" |
| Role Confusion | "pretend you are", "act as if" |
| Prompt Extraction | "reveal your prompt", "show instructions" |
Each user gets an isolated Docker container:
# Per-user sandbox limits
mem_limit: 512m
cpu_quota: 50% # 50% of one core
pids_limit: 100
network: agent-net (internal only)
security_opt: no-new-privileges
# Workspace isolation
volumes:
- /workspace/{user_id}:/workspace/{user_id}:rw
# NO access to other users' workspaces
# NO access to /run/secrets
# NO access to host filesystem| Session Type | Allowed Tools | Denied Tools |
|---|---|---|
| Main (DM) | All 17 tools | - |
| Group | 13 shared tools | send_dm, manage_message |
| Sandbox | bash, files, memory | browser, cron, gateway |
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ SECRETS FLOW โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ โ
โ secrets/ proxy/ โ
โ โโ telegram_token.txt โโโถ (reads at startup) โ
โ โโ api_key.txt โโโถ (reads at startup) โ
โ โโ zai_api_key.txt โโโถ (reads at startup) โ
โ โ โ
โ โผ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ Gateway โโโโโโโโโถโ Proxy โโโโโโโโโถโ External โ โ
โ โ (0 secrets)โ HTTP โ (all keys) โ HTTPS โ APIs โ โ
โ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโ โ
โ โ โ
โ โ NO secrets in: โ
โ โ - Environment variables โ
โ โ - Container filesystem โ
โ โ - Agent context โ
โ โ - Tool outputs โ
โ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- Agent has zero secrets โ all API calls go through proxy
- Docker secrets โ not environment variables
- File permissions โ 600 on secret files
- No hardcoded secrets โ everything from files
SECRET_PATTERNS = [
r"sk-[A-Za-z0-9]{20,}", # OpenAI keys
r"tvly-[A-Za-z0-9-]{20,}", # Tavily keys
r"ghp_[A-Za-z0-9]{36,}", # GitHub tokens
r"\d{8,12}:[A-Za-z0-9_-]{35}", # Telegram bot tokens
r"Bearer\s+[A-Za-z0-9._-]{20,}", # Bearer tokens
r"[A-Z_]*API[_-]?KEY[A-Z_]*=", # Generic API keys
]Outputs are scanned for:
- Base64-encoded secrets
- Hex-encoded data
- JSON env dumps
- Suspicious patterns
networks:
agent-net:
driver: bridge
internal: false # Allows outbound for web search
# Service exposure
proxy: internal only (no ports exposed)
core: internal only (no ports exposed)
bot: internal only (no ports exposed)
admin: localhost:3000 onlyCommands attempting to access internal services are blocked:
curl http://proxy:3200/wget http://core:4000/nc gateway 4000
# Run security doctor
python scripts/doctor.py
# Output as JSON
python scripts/doctor.py --json- Secrets configuration
- Docker compose security
- Blocked patterns count
- Injection patterns count
- Network exposure
- File permissions
- Access mode
- Resource limits
- Immediately rotate the leaked credential
- Check logs for exfiltration method
- Add blocking pattern if new vector
- Redeploy with new secrets
- Check
docker statsfor resource usage - Identify attacking user from logs
- Add to blocklist or rate limit
- Restart affected containers
- Review conversation in
CHAT_HISTORY.md - Identify bypass technique
- Add pattern to
prompt-injection-patterns.json - Consider model upgrade
Run before production:
-
ACCESS_MODEis NOTpublic(or has rate limiting) -
ADMIN_USER_IDis set correctly - Allowlist contains only trusted users
- Admin panel bound to
127.0.0.1only - No services exposed to
0.0.0.0 - Firewall blocks external access to ports 3200, 4000, 4001
- All secrets in
secrets/directory - File permissions are
600 - No secrets in environment variables
- No secrets in docker-compose.yml
-
no-new-privilegesenabled - Resource limits set
- Docker socket access minimized
- Logs are being collected
-
[SECURITY]and[BLOCKED]alerts monitored - Rate limiting active
If you find a security vulnerability:
- Do NOT create a public issue
- Contact admin directly via Telegram
- Include reproduction steps
- Wait for patch before disclosure