Skip to content

Commit ce3a724

Browse files
committed
docs(coding-agent): document security model
1 parent d8aef0f commit ce3a724

3 files changed

Lines changed: 62 additions & 0 deletions

File tree

packages/coding-agent/docs/docs.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,10 @@
1919
"title": "Providers",
2020
"path": "providers.md"
2121
},
22+
{
23+
"title": "Security",
24+
"path": "security.md"
25+
},
2226
{
2327
"title": "Containerization",
2428
"path": "containerization.md"

packages/coding-agent/docs/index.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ For the full first-run flow, see [Quickstart](quickstart.md).
4141
- [Quickstart](quickstart.md) - install, authenticate, and run a first session.
4242
- [Using Pi](usage.md) - interactive mode, slash commands, context files, and CLI reference.
4343
- [Providers](providers.md) - subscription and API-key setup for built-in providers.
44+
- [Security](security.md) - project trust, sandbox boundaries, and vulnerability reporting.
4445
- [Containerization](containerization.md) - sandbox pi with OpenShell, Gondolin, or Docker.
4546
- [Settings](settings.md) - global and project settings.
4647
- [Keybindings](keybindings.md) - default shortcuts and custom keybindings.
Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
# Security
2+
3+
Pi is a local coding agent. It runs with the permissions of the user account that starts it, and it treats files writable by that user as inside the same local trust boundary.
4+
5+
## Project Trust
6+
7+
Project trust controls whether pi loads project-local inputs. It is not a sandbox and it does not restrict what the model can ask tools to do after you start working in a directory.
8+
9+
Pi considers a project to have trust inputs when it finds any of these from the current working directory:
10+
11+
- `.pi/` in the current directory
12+
- `AGENTS.md` or `CLAUDE.md` in the current directory or an ancestor directory
13+
- `.agents/skills` in the current directory or an ancestor directory
14+
15+
When an interactive session starts in a project with trust inputs and no saved decision, pi asks whether to trust the project. Saved decisions are stored per canonical working directory in `~/.pi/agent/trust.json`.
16+
17+
Trusting a project allows pi to load project-local inputs, including:
18+
19+
- project instructions from `AGENTS.md` or `CLAUDE.md`
20+
- `.pi/settings.json`
21+
- `.pi` resources such as extensions, skills, prompt templates, themes, and system prompt files
22+
- missing project packages configured through project settings
23+
- project-local extensions and project package-managed extensions
24+
25+
Declining trust skips those project-local inputs. Before trust is resolved, pi only loads user/global extensions and CLI `-e` extensions. User/global and CLI extensions can handle the `project_trust` event; the first extension that returns a yes/no decision owns the decision.
26+
27+
Non-interactive modes (`-p`, `--mode json`, and `--mode rpc`) do not show a trust prompt. Without a saved trust decision, they ignore project-local inputs unless `--approve`/`-a` is passed. Use `--no-approve`/`-na` to ignore project-local inputs for one run even when the project is trusted.
28+
29+
## No Built-in Sandbox
30+
31+
Pi does not include a built-in sandbox. Built-in tools can read files, write files, edit files, and run shell commands with the permissions of the pi process. Extensions are TypeScript modules that run with the same permissions. Package installs, shell commands, language servers, test commands, and other developer tools behave as ordinary local processes.
32+
33+
This is intentional. Pi is designed to operate on local source trees, invoke project toolchains, and integrate with the user's existing development environment. A partial in-process sandbox would be easy to misunderstand as a security boundary while still depending on the host shell, filesystem, package managers, credentials, and extension code. Real isolation needs to come from the operating system or a virtualization/container boundary.
34+
35+
Project trust is only an input-loading guard. It prevents a repository from silently changing pi's instructions, settings, or extensions before you approve it. It does not make untrusted code, untrusted prompts, or untrusted model output safe. Prompt injection from repository files, comments, documentation, or build output is expected local-agent risk and cannot be reliably prevented by pi.
36+
37+
## Running Untrusted or Unmonitored Work
38+
39+
For untrusted repositories, generated code you do not intend to monitor closely, or unattended automation, run pi in a contained environment. Use a container, VM, micro-VM, remote sandbox, or policy-controlled sandbox with only the files and credentials required for the task.
40+
41+
Common patterns are documented in [Containerization](containerization.md):
42+
43+
- run the whole `pi` process inside OpenShell or Docker
44+
- run host pi while routing built-in tool execution into a Gondolin micro-VM
45+
- mount only the workspace paths the agent should access
46+
- avoid mounting host `~/.pi/agent` unless the container should access host sessions, settings, and credentials
47+
- pass the minimum required API keys or use short-lived credentials
48+
- restrict network access when the task does not need it
49+
- review diffs and outputs before copying results back to trusted systems
50+
51+
If you bind-mount a host workspace read/write, writes from inside the container or VM can still modify host files. Use read-only mounts or copy files into and out of the sandbox when you need stronger protection from unintended writes.
52+
53+
## Reporting Security Issues
54+
55+
To report a security issue, follow the repository [Security Policy](https://github.com/earendil-works/pi-mono/blob/main/SECURITY.md). Do not open a public issue for security-sensitive reports.
56+
57+
Expected local-agent behavior, lack of a built-in sandbox, prompt injection from untrusted content, and behavior of user-installed extensions or skills are generally outside the security boundary unless the report demonstrates a real privilege-boundary bypass or shows how pi grants access that the local user did not already have.

0 commit comments

Comments
 (0)