Skip to content

Security: hypnoastic/Autoweave-Library

Security

SECURITY.md

Security Policy

Security is a primary concern for the AutoWeave library, as it serves as an execution and orchestration layer for agent-generated code and commands.

Supported Versions

Currently, the main branch and the latest published version are supported for security updates.

Version Supported
0.1.x

Threat Model

What This Library Does NOT Do

  • Sandbox Execution: AutoWeave does not provide a sandbox for unsafe code execution. It is purely the orchestration layer. Any remote workers (e.g. OpenHands) provisioned by tasks must be executed inside a hardened sandbox (e.g., Docker, gVisor) configured by the downstream product or user.
  • Product Authentication: This library does not handle user authentication, OAuth, or RBAC. The downstream product shell is responsible for securing access to the orchestration engine.

Trusted vs Untrusted Inputs

  • Trusted: The local filesystem (templates, bootstrap files), environment variables (.env.local), and configuration maps are considered trusted.
  • Untrusted: Natural language requests passed to the compiler, and code/artifacts generated by LLM agents.

Security Defenses

  • Strict Validation: All state transitions and payload schemas are strictly validated using pydantic.
  • No eval(): The library deliberately avoids unsafe dynamic code execution methods such as eval() or exec() internally.
  • Secret Scanning: All commits to this repository are scanned for hardcoded secrets via gitleaks.
  • Dependency Audits: Dependencies are continuously audited using pip-audit.
  • Static Analysis: CodeQL runs on every pull request to analyze the Python source code for logic vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability within AutoWeave Library, please DO NOT open a public issue.

Instead, please use the GitHub Security Advisory feature to privately report the issue:

  1. Go to the Security Advisories tab for the repository.
  2. Click "Report a vulnerability".
  3. Provide full details of the vulnerability, including steps to reproduce.

Response Timeline

  • We will acknowledge receipt of your vulnerability report within 48 hours.
  • We will provide a status update or resolution plan within 7 days.
  • If a fix is required, we aim to release a patch within 14 days of the report.

All security vulnerabilities will be promptly addressed, and reporters will receive credit if they desire.

There aren't any published security advisories