Skip to content

Security: phoenixvc/agentkit-forge

Security

Report a vulnerability

SECURITY.md

Security Policy — agentkit-forge

Security policies, vulnerability reporting, and hardening guidelines for this repository and its AI agent workflows.

Table of Contents

  1. Reporting Vulnerabilities
  2. Security Conventions
  3. AI Agent Security
  4. Permission Model
  5. Secret Management

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  1. Do not open a public issue
  2. Email the maintainers or use the repository's private vulnerability reporting
  3. Include steps to reproduce, impact assessment, and suggested fix if possible
  4. Allow reasonable time for a fix before public disclosure

Security Conventions

These conventions are enforced by the security rule domain (see .agentkit/spec/rules.yaml):

  • No hardcoded secrets — API keys, tokens, passwords must never appear in source
  • Least privilege — request minimum necessary permissions
  • Deny by default — explicitly allow actions rather than deny
  • Input validation — validate all external input at system boundaries
  • Dependency audit — regularly scan dependencies for known vulnerabilities
  • Encryption — use TLS for transit, encrypt sensitive data at rest

AI Agent Security

Hook-based Protection

AgentKit Forge installs hook scripts that guard against common risks:

Hook Trigger Protection
protect-sensitive.sh Write/Edit operations Blocks writes to .env, credentials, CI secrets
guard-destructive-commands.sh Bash execution Blocks rm -rf /, git push --force, etc.
warn-uncommitted.sh Write/Edit operations Warns when uncommitted changes accumulate

Deny-wins Permission Model

When base and overlay permissions conflict, deny always wins:

# Base allows git push
permissions:
  allow: ["git push"]

# Overlay denies force push — this wins
permissions:
  deny: ["git push --force"]

Template Sanitization

The sync engine sanitizes all template variable values, stripping shell metacharacters (` $ \ ; | & < > ! { } ( )) to prevent injection through overlay values.

Permission Model

Allowed Operations

See .claude/settings.json for the full list. Permissions are sourced from:

  1. .agentkit/spec/settings.yaml — base permissions
  2. .agentkit/overlays/<repo>/settings.yaml — repo-specific additions

Denied Operations

Explicitly denied operations (these override any allow entries):

  • rm -rf / and rm -rf ~* — catastrophic deletion
  • git push --force and git push -f — history rewriting
  • git reset --hard — working tree destruction
  • terraform destroy — infrastructure destruction
  • az group delete — Azure resource group deletion
  • gh repo delete — repository deletion

Secret Management

Detection

The validate command scans for common secret patterns:

  • AWS access keys (AKIA...)
  • GitHub tokens (ghp_...)
  • API keys (sk-...)
  • Generic patterns (password=, secret=, token= in non-template files)

Prevention

  1. Use .gitignore to exclude sensitive files (.env, *.pem, credentials.*)
  2. Use environment variables or secret managers for runtime secrets
  3. The protect-sensitive.sh hook blocks AI agents from writing to sensitive paths

This policy is maintained by AgentKit Forge. Run pnpm -C .agentkit agentkit:sync to regenerate.

There aren’t any published security advisories