singularity/singularity-forge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
singularity-forge/docs/SECURITY.md
Mikael Hugo 3960e42b26 docs: align sf purpose doctrine and docs
2026-05-06 00:38:36 +02:00

2.6 KiB
Raw Blame History

Security

Auth Model and Trust Boundaries

SF never manages Anthropic OAuth directly. The safe paths are:

  • API key — user sets ANTHROPIC_API_KEY or configures it in auth.json. SF reads it; never generates or exchanges it.
  • Cloud providers — Bedrock, Vertex, Azure via their own credential chains.
  • Explicit local runtime adapters — only when intentionally configured, SF may delegate to a local provider/runtime adapter. SF does not mint, replay, or reuse subscription credentials.

Prohibited patterns:

  • SF-managed Anthropic OAuth flow for subscription accounts
  • Reusing user Claude subscription credentials inside SF's own API client
  • Making a provider believe requests come from a different first-party client than the one actually making them

Write Gate

src/resources/extensions/sf/bootstrap/write-gate.ts enforces a phase-aware write boundary:

  • During queue mode (pre-dispatch planning): only .sf/ writes and read-only tool calls are permitted. All other file writes are blocked.
  • QUEUE_SAFE_TOOLS allowlist: read, grep, find, ls, ask_user_questions, planning tools, web research tools.
  • BASH_READ_ONLY_RE: regex allowlist of commands safe to run during write-restricted phases (cat, git log, npm run test|lint|typecheck, jq, etc.).
  • Write-gate violations are logged and surfaced to the user; they do not crash the session.

Protected Files

The following files require human review before any automated modification (per docs/SPEC_FIRST_TDD.md):

  • ADR-*.md — architecture decision records
  • SPEC.md, ARCHITECTURE.md, AGENTS.md
  • docs/SECURITY.md, docs/RELIABILITY.md

SF will not autonomously overwrite these. Any proposed change to a protected file is surfaced as a diff for human acceptance.

Secret Scanning

Pre-commit hook via npm run secret-scan:install-hook. Blocks commits containing patterns matching API keys, tokens, and credentials. Install with:

npm run secret-scan:install-hook

Dependency Risk

  • npm audit runs in CI on every push.
  • No --ignore-scripts bypass: postinstall scripts are reviewed before adding new dependencies.
  • Rust N-API bindings (packages/native/) undergo separate native-build review for ABI safety.

Sandbox Model

SF agents execute inside the Pi RPC child process. The write gate and tool allowlist are the primary sandbox. There is no OS-level sandbox (no container or seccomp) in the default local deployment.

Headless unsupervised mode (--no-supervised): SF exits with code 10 (blocked) rather than auto-responding to any interactive tool call. This is the safe default for CI pipelines where no human is available to respond.