#Trust boundaries
#Primary threats and controls
- Command/shell injection: validated executable plus argument arrays; no shell
concatenation; environment allowlists; timeout and output bounds.
- Traversal/symlink/junction escape: real path canonicalization, trusted roots,
nested-registration rejection, safe archive-entry validation.
- Broken authorization/IDOR: server-side typed permissions, project scope,
session versions, lockout invariants, audited denials.
- Terminal abuse: signed short-lived worker claims, Origin validation, worker-only
PTY, read-only-source denial, rate/payload/session limits.
- Git/dependency abuse: credential references, non-interactive Git, no automatic
dirty-tree reset, trusted-project statement, background jobs.
- Plugin abuse: declared capabilities, explicit approval, lifecycle timeout,
disposers, health/failure state; no sandbox claim.
- XSS/CSRF/token theft: CSP/security headers, secure HttpOnly SameSite cookies,
PKCE/state, Origin checks, escaped UI, redaction.
- SSRF/network: project/plugin network capability declarations and hosted worker
network policy; no URL fetch is accepted without schema validation. The runtime gateway requires web authentication and only proxies a port owned by a running runtime execution; dynamic worker ports are not host-published.
- Secret leakage/log injection: file-backed secrets, structured logs, recursive
redaction, safe metadata only, bounded log storage.
- Worker breakout: non-root user, dropped capabilities, no privileged mode, no
Docker socket, read-only root, explicit writable mounts, resource/PID limits.
- Keycloak errors: prebuilt realm, exact origins/redirects, no registration,
service credentials kept server-side, production optimized mode.