Skip to content

Security: G-Research/bobbit

docs/security.md

Security Model

This tool grants full shell access to the host machine. The auth token is equivalent to an SSH key.

  • 256-bit cryptographically random token generated on first run, persisted in serverSecretsDir() (an OS user-level directory outside any project root, defaulting to <AppData|Library/Application Support|~/.local/state>/bobbit/secrets/<hash>/token) with mode 0600. Override with BOBBIT_SECRETS_DIR. Stored outside the Headquarters project directory to prevent same-root normal-project agents from reading the gateway admin token. See headquarters.md — Live secrets exception.
  • All API routes and WebSocket connections require the token
  • Constant-time token comparison prevents timing attacks
  • IP-based rate limiting on failed auth attempts (automatic lockout)
  • 5-second auth timeout on WebSocket connections
  • Static file serving has directory traversal prevention (resolved path must start with static dir)
  • Gateway binds to NordLynx mesh IP if available, otherwise localhost — never 0.0.0.0 unless explicitly requested
  • TLS on by default for non-loopback addresses; disabled for localhost unless --tls is passed
  • OAuth PKCE flow for obtaining API credentials securely

Preview endpoint hardening

The GET/POST /api/preview endpoints accept an optional sessionId query parameter to scope preview HTML per session. Security measures:

  • UUID validation: sessionId is validated against a strict regex (/^[a-f0-9-]{36}$/i). Non-UUID values (including path traversal sequences like ../, backslashes, or colons) return 400. This prevents sandbox agents from writing .html files outside the state directory.
  • Vite filesystem deny: server.fs.deny rules block the .bobbit directory and node_modules/.vite, preventing Vite's /@fs/ route from serving sensitive files.
  • Vite plugin hardening: blockDangerousGlobs rejects import.meta.glob calls targeting .bobbit paths. localhostGuard rejects non-localhost requests to the Vite dev server, preventing sandbox containers from reaching it over the Docker bridge network.

Sandbox agent-directory boundaries

The configurable agent directory can contain provider credentials, so sandbox containers receive only narrow mounts:

  • active <agentDir>/sessions/ for transcript continuity;
  • active <agentDir>/models.json read-only when present;
  • a generated, project-scoped auth file mounted as /home/node/.bobbit/agent/auth.json.

Bobbit never mounts the full host agent directory or host <agentDir>/auth.json into Docker. Remote-less sandbox clone sources are generated from sanitized tracked content that excludes .bobbit/ and auth.json, then mounted read-only. See Configurable agent directory.

There aren't any published security advisories