-
Notifications
You must be signed in to change notification settings - Fork 58
Expand file tree
/
Copy path.roborev.toml
More file actions
90 lines (73 loc) · 4.19 KB
/
.roborev.toml
File metadata and controls
90 lines (73 loc) · 4.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
review_guidelines = """
agentsview is a single-user developer tool. Default mode binds to
127.0.0.1. Optional managed Caddy proxy mode allows LAN access while
keeping the backend on loopback. Optional remote access mode binds to
0.0.0.0 with bearer-token auth for use over secure tunnels (Tailscale,
SSH, reverse proxy with TLS). Not designed for multi-user or
internet-facing deployment.
Key assumptions reviewers MUST account for:
1. AUTH MODEL: In local-only mode, loopback bind is the access
boundary — no auth tokens needed. In proxy mode, validateServeConfig
forces the backend to loopback; Caddy enforces CIDR subnet
allowlisting. When remote access is enabled (`remote_access: true`),
a bearer token is required for all API requests (including
localhost, to prevent bypass via reverse proxy). An auth token is
auto-generated at startup if missing. Do not flag missing auth on
local-only code paths. DO flag any path that lets the backend bind
non-loopback in proxy mode, or missing subnet checks for
non-loopback Caddy binds.
2. MANAGED CADDY INVARIANTS: Backend loopback-only (enforced).
Non-loopback Caddy binds require allowed_subnets. auto_https off;
TLS needs user-supplied cert/key. Caddyfile is generated, validated
via `caddy validate`, then run as a supervised child process.
DO flag Caddyfile injection via unsanitized config values.
3. REMOTE ACCESS THREAT MODEL: Remote access is opt-in, intended for
encrypted tunnels. Accepted design decisions:
- No TLS termination — user's responsibility via tunnel/proxy.
- Token in URL for SSE — EventSource cannot set headers; accepted.
- Server restart required to rebind listener on toggle.
- Terminal config RCE prevention: generic PUT /api/v1/settings
rejects terminal updates; they must go through the validated
POST /api/v1/config/terminal endpoint.
4. XSS: {@html renderMarkdown(...)} is safe — renderMarkdown()
sanitizes via DOMPurify before returning HTML.
5. RATE LIMITING: Single-user tool. Do not flag missing rate limits
or concurrency caps.
6. CORS: corsMiddleware requires matching Origin for mutating
requests. Allowed origins = loopback variants + public_url +
public_origins. In remote mode, authenticated requests (bearer
token) allow the request origin. Do not flag as overly permissive
unless origins outside the configured set are accepted.
7. INPUT VALIDATION: Body size limits not required — backend is
loopback-only; in proxy mode Caddy subnet filtering limits
clients to trusted hosts. In remote mode, bearer token gates
all API access.
8. SESSION DATA: Displaying session contents (tool args, commands,
paths) is the tool's purpose. The user owns these files. Do not
flag as sensitive data exposure.
9. SUBPROCESS ENV: Agent CLI subprocesses intentionally inherit the
parent environment. Do not flag env var inheritance.
10. SESSION PARSING: Input files are from local agent CLIs, not
adversarial. Do not flag missing cycle detection, recursion
limits, or unreachable-node checks in DAG traversals.
11. WRITE ATOMICITY: Per-session transactions only. Full resync
recovers partial state. Do not flag non-atomic multi-session
writes.
12. TOCTOU ON LOCAL FILES: Files in ~/.agentsview/ are user-owned.
An attacker with home-directory access already has equivalent
privileges. Do not flag TOCTOU on local-only paths.
13. SCHEMA: Verify actual schema before flagging. tool_calls has
`id INTEGER PRIMARY KEY`. sessions has `relationship_type TEXT
NOT NULL DEFAULT ''` — NULLs cannot exist, so NOT IN is correct.
14. CONTROL FLOW: Trace actual flow (early returns, continues,
conditionals) before claiming logic errors.
15. DESKTOP (TAURI): Local wrapper around localhost backend. Focus
on: preventing remote navigation, tight CSP, no internal error
leakage, safe concurrency on response writers. Flag CSP
regressions (`csp: null`). Sidecar stdout may arrive in partial
chunks — flag code that assumes complete lines when readiness
depends on it.
Do NOT flag issues that only apply to public-facing, multi-tenant,
or internet-exposed services. Focus on bugs, logic errors, data
corruption risks, and code quality issues.
"""