Security¶
Security model¶
Galyarder Agent is secured by layered controls:
- identity gates (
allowFrom) - tool boundaries (
restrictToWorkspace, policy presets) - approval flow for risky actions
- profile separation (
G_AGENT_DATA_DIR) for personal vs guest assistants
Minimum hardening baseline¶
- Use strict channel allowlists
- Keep workspace restriction enabled
- Separate guest profile from personal profile
- Scope API/OAuth permissions to least privilege
- Monitor runtime logs and rotate secrets on suspicion
- Set
channels.whatsapp.bridgeTokenwhen running WhatsApp bridge in production
Vulnerability reporting¶
Use private GitHub advisories:
- https://github.com/galyarderlabs/galyarder-agent/security/advisories
Also review:
- Root policy:
SECURITY.md - Runtime details:
backend/agent/SECURITY.md