Skip to content

Security

Verify, don’t trust.

A coding agent is software that runs model-directed commands on your machine. That sentence should make you ask hard questions — this page and SECURITY.md are the answers, and the source is the proof.

Security model

This app runs LLM-directed shell commands. Here is what stands in the way.

  1. 01

    Exec approvals

    Four levels per binary — Deny (default), Ask, Allowlist, Allow — with Strict, Balanced, and Permissive presets.

  2. 02

    The Conscience gate

    A deterministic, fail-closed check before any mutating tool. It refuses destructive shell patterns, pushes to protected branches, and writes to secret paths.

  3. 03

    Protected writes

    Changes to SOUL.md, MIND.md, or skills require explicit approval — even in normal runs. The agent cannot rewrite its own identity quietly.

  4. 04

    The daemon is off by default

    When you opt in, it works one goal at a time on a scratch branch, behind the same gates, and never pushes.

  5. 05

    The MCP host refuses run_command

    Port 18790 exposes G-Rump's tools to other clients — but never your shell.

  6. 06

    Keychain-only keys

    API keys live in the macOS Keychain and requests go straight to your provider. No accounts, no telemetry middleman, no backend.

The full model, including what’s in scope for reports, lives in the security docs.

No sandbox, stated plainly

The app disables the macOS sandbox by design — shell execution, LSP, and file tools require it. That trade-off is why the approval gates above exist, and why they are deterministic code rather than model judgment. Read the full model in the security docs and privacy docs.

Reporting a vulnerability

In scope: anything that bypasses exec approvals or the Conscience gate, prompt-injection paths to command execution, Keychain handling flaws, MCP host escapes, and daemon branch escapes. Report privately via GitHub security advisories.