Security
Full policy at SECURITY.md. The shape:
Reporting a vulnerability
Section titled “Reporting a vulnerability”Do not open a public GitHub issue for security vulnerabilities.
Preferred: open a private security advisory.
Acknowledgement target: 72 hours. Patch target for critical / high severity: 14 days.
In scope:
lib/agent_runner.pybin/examples/bin/label_state.pyexamples/git-hooks/pre-pushinstall.sh- The Astro Starlight site at
site/
Out of scope:
- The Anthropic Claude Code CLI (report to Anthropic).
- Third-party skills (gstack, CodeRabbit, etc.). Report upstream.
- Consumer fleet code that imports
agent_runner. Consumer’s responsibility. - Operator misconfigurations (leaked AWS keys, public Slack webhooks). Hardening documented; can’t be enforced.
Critical classes
Section titled “Critical classes”- Remote code execution from a Slack message body, gh API response, or any external data the runner reads.
- Privilege escalation that lets a per-agent IAM identity act outside its declared policy.
- Secret leakage paths.
- Bypass of the
do-not-pickupoperator override. - Race conditions in
claim_issuethat allow duplicate claims.
Hardening recommendations
Section titled “Hardening recommendations”For consumer fleets:
- Per-agent IAM, never operator SSO. See AWS setup.
- Secrets via AWS Secrets Manager, not env files committed to home.
- Pre-push hook installed in every operator-touched repo.
- Read every skill before installing. Skills run with
claude’s permissions. - Webhook URLs treated as secrets. Rotate on suspected exposure.
- Bot tokens (
xoxb-) and app tokens (xapp-1-) treated as secrets. Same. - Audit
agent:authoredPRs before merge. Auto-merge of unaudited code is out of scope.