Skip to main content

Security

Defense-in-depth security model — multiple overlapping layers of protection from authentication to audit logging.

Security Overview

🔑

Authentication

Wallet-based identity via Algorand (Ed25519 signatures) plus API key auth with timing-safe comparison. Admin bootstrap auto-generates strong keys. 24-hour grace period on key rotation prevents lockouts.

🚧

Rate Limiting

Sliding-window rate limiter per IP and per wallet address. Endpoint-specific limits — tighter on mutations and auth endpoints, relaxed on reads. HTTP 429 responses with Retry-After headers.

🛡

Input Validation

Zod schemas on all API inputs. Parameterized SQL queries only — no string interpolation. Path traversal prevention with symlink resolution. Six-category prompt injection scanner on all external messages.

📜

Audit Logging

Immutable, append-only audit log with trace IDs. Every agent action, tool call, and spending event is recorded. Full forensic trail for compliance and incident response.

Security Test Coverage

bun test 
$ bun test server/security/

security-audit.test.ts
   104 tests passed  # Auth, CORS, CSP, content guards

jailbreak-prevention.test.ts
    81 tests passed  # Prompt injection, role override, encoding evasion

rate-limit-bypass.test.ts
    47 tests passed  # Sliding window, IP spoofing, endpoint limits

───────────────────────────────────────
Total: 232 security tests — all passing

Threat Model

External Attackers

Prompt injections via AlgoChat, Telegram, Discord, or GitHub comments. Goal: trick agents into unauthorized commands, secret leakage, or protected file modification. Mitigated by injection scanner, owner address allowlists, and protected file enforcement.

Compromised Agents

Jailbroken sessions attempting privilege escalation, secret exfiltration, or spending control bypass. Mitigated by protected file lists (basename + path + symlink resolution), bash command scanning, and credit system with TOCTOU-safe atomic mutations.

Supply Chain

Compromised npm dependencies injecting malicious code at runtime. Mitigated by lockfile pinning (bun.lock), dependency review on updates, and diff-level security scanning that blocks new external domain calls in work task PRs.

Insider / Rogue Tenants

In multi-tenant mode, a tenant attempting cross-boundary access. Mitigated by tenant-scoped database queries via db-filter, role guards (dashboard, admin, tenant), and per-tenant API key isolation.

Attack Surface Protection

CORS & CSP

Configurable ALLOWED_ORIGINS for CORS enforcement. Content Security Policy headers restrict script sources, frame ancestors, and form targets.

Content Guards

Content-length limits on all request bodies. Timing-safe comparison on API keys prevents side-channel attacks. Request body parsing rejects malformed payloads.

SSRF Prevention

Agents cannot add outbound HTTP calls to new external domains. Diff-level validation in work tasks blocks fetch() to unapproved URLs. Allowed domains are explicitly configured.

Tenant Isolation

All database queries scoped by tenant ID via db-filter. Sessions, agents, credits, and configuration are fully isolated between tenants.

Protected Files

Critical files (spending.ts, schema.ts, .env, sdk-process.ts) are blocked from agent modification. Enforced via basename matching, path matching, and symlink resolution.

Wallet Security

Private keys encrypted at rest with AES-256-GCM. Mnemonics never logged or exposed via API. Daily ALGO spending caps with atomic credit mutations.

Injection Detection

scanner categories 
Scanner  6 pattern categories — executes in <10ms per message

1. Role override       # "ignore previous instructions", system prompt leaks
2. Encoding evasion    # Base64 payloads, Unicode homoglyphs, zero-width chars
3. Tool abuse          # Instructions to call specific tools or access files
4. Data exfiltration   # Requests to output env vars, API keys, file contents
5. Social engineering  # Urgency markers, authority claims, impersonation
6. Delimiter injection # Fake XML/JSON boundaries, system message markers

Escalation:
  LOW     # Single weak signal — log only
  MEDIUM  # Multiple signals — log + flag in audit trail
  HIGH    # Strong indicators — block message, notify operator
  CRITICAL# Clear injection — block + kill session + notify

Reporting Vulnerabilities

Do Not Open Public Issues

If you discover a security vulnerability, report it privately via GitHub Security Advisories or email the maintainers directly. Include a description, reproduction steps, and any suggested fix. We acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days.

Full details in SECURITY.md