#Trust boundaries

#Primary threats and controls

  • Command/shell injection: validated executable plus argument arrays; no shell

concatenation; environment allowlists; timeout and output bounds.

  • Traversal/symlink/junction escape: real path canonicalization, trusted roots,

nested-registration rejection, safe archive-entry validation.

  • Broken authorization/IDOR: server-side typed permissions, project scope,

session versions, lockout invariants, audited denials.

  • Terminal abuse: signed short-lived worker claims, Origin validation, worker-only

PTY, read-only-source denial, rate/payload/session limits.

  • Git/dependency abuse: credential references, non-interactive Git, no automatic

dirty-tree reset, trusted-project statement, background jobs.

  • Plugin abuse: declared capabilities, explicit approval, lifecycle timeout,

disposers, health/failure state; no sandbox claim.

  • XSS/CSRF/token theft: CSP/security headers, secure HttpOnly SameSite cookies,

PKCE/state, Origin checks, escaped UI, redaction.

  • SSRF/network: project/plugin network capability declarations and hosted worker

network policy; no URL fetch is accepted without schema validation. The runtime gateway requires web authentication and only proxies a port owned by a running runtime execution; dynamic worker ports are not host-published.

  • Secret leakage/log injection: file-backed secrets, structured logs, recursive

redaction, safe metadata only, bounded log storage.

  • Worker breakout: non-root user, dropped capabilities, no privileged mode, no

Docker socket, read-only root, explicit writable mounts, resource/PID limits.

  • Keycloak errors: prebuilt realm, exact origins/redirects, no registration,

service credentials kept server-side, production optimized mode.