This tool grants full shell access to the host machine. The auth token is equivalent to an SSH key.
- 256-bit cryptographically random token generated on first run, persisted in
serverSecretsDir()(an OS user-level directory outside any project root, defaulting to<AppData|Library/Application Support|~/.local/state>/bobbit/secrets/<hash>/token) with mode0600. Override withBOBBIT_SECRETS_DIR. Stored outside the Headquarters project directory to prevent same-root normal-project agents from reading the gateway admin token. See headquarters.md — Live secrets exception. - All API routes and WebSocket connections require the token
- Constant-time token comparison prevents timing attacks
- IP-based rate limiting on failed auth attempts (automatic lockout)
- 5-second auth timeout on WebSocket connections
- Static file serving has directory traversal prevention (resolved path must start with static dir)
- Gateway binds to NordLynx mesh IP if available, otherwise
localhost— never0.0.0.0unless explicitly requested - TLS on by default for non-loopback addresses; disabled for localhost unless
--tlsis passed - OAuth PKCE flow for obtaining API credentials securely
The GET/POST /api/preview endpoints accept an optional sessionId query parameter to scope preview HTML per session. Security measures:
- UUID validation:
sessionIdis validated against a strict regex (/^[a-f0-9-]{36}$/i). Non-UUID values (including path traversal sequences like../, backslashes, or colons) return 400. This prevents sandbox agents from writing.htmlfiles outside the state directory. - Vite filesystem deny:
server.fs.denyrules block the.bobbitdirectory andnode_modules/.vite, preventing Vite's/@fs/route from serving sensitive files. - Vite plugin hardening:
blockDangerousGlobsrejectsimport.meta.globcalls targeting.bobbitpaths.localhostGuardrejects non-localhost requests to the Vite dev server, preventing sandbox containers from reaching it over the Docker bridge network.
The configurable agent directory can contain provider credentials, so sandbox containers receive only narrow mounts:
- active
<agentDir>/sessions/for transcript continuity; - active
<agentDir>/models.jsonread-only when present; - a generated, project-scoped auth file mounted as
/home/node/.bobbit/agent/auth.json.
Bobbit never mounts the full host agent directory or host <agentDir>/auth.json into Docker. Remote-less sandbox clone sources are generated from sanitized tracked content that excludes .bobbit/ and auth.json, then mounted read-only. See Configurable agent directory.