From fe232744a6bb209e367e054dde168ee367722614 Mon Sep 17 00:00:00 2001 From: didericis Date: Sun, 10 May 2026 02:42:12 -0400 Subject: [PATCH] docs: reframe security model around secret exposure and exfiltration Soften the "container is the boundary against reaching the host" framing in favor of what the design actually leans on: granting each bottle only the secrets it needs, and constraining where those secrets can travel via pipelock. The container is one layer rather than the load-bearing one. Co-Authored-By: Claude Opus 4.7 --- README.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index f15fca2..68702ff 100644 --- a/README.md +++ b/README.md @@ -32,13 +32,19 @@ state, don't talk to each other, and only get the env vars, skills, SSH identities, and egress hosts the manifest grants them — nothing more. Any one agent only has the access it needs to do its job. -The container is the boundary against an uncoordinated agent reaching -the host: a misbehaving Claude Code session can't read files outside -the bottle, can't reach the host's network without going through -pipelock, and can't see other bottles. By default it is not a hardened -boundary against a determined attacker with kernel-level escape -capability — Linux hosts can opt into [gVisor](https://gvisor.dev/) -per bottle (see `runtime` in the manifest below); the broader v2 +The bottle limits both what an agent can see and where it can send +it. Each bottle gets only the secrets and SSH identities the manifest +grants it — a Gitea token but not a GitHub token, a deploy key but +not a personal SSH key — so even a compromised or misbehaving agent +only handles credentials it was already trusted with for its job. +Egress flows through pipelock, which constrains where those +credentials can travel: an agent with a Gitea token can reach +`gitea.dideric.is`, not arbitrary attacker-controlled hosts. The +container itself adds a layer between the agent and the host, but the +v1 design leans more on secret minimization and egress allowlisting +than on the container as a hardened boundary. Linux hosts can opt into +[gVisor](https://gvisor.dev/) per bottle (see `runtime` in the +manifest below) for a userspace syscall barrier; the broader v2 discussion lives in `docs/research/stronger-isolation-alternatives.md`. The egress proxy and OAuth-token handling below are the load-bearing