Files
wehub-resource-sync d68f003000
CI / Change detection (push) Has been cancelled
CI / Version drift (push) Has been cancelled
CI / Lint (push) Has been cancelled
CI / Workflow RLM cache (push) Has been cancelled
CI / Test (macos-latest) (push) Has been cancelled
CI / Test (ubuntu-latest) (push) Has been cancelled
CI / Test (windows-latest) (push) Has been cancelled
CI / npm wrapper smoke (push) Has been cancelled
CI / Mobile runtime smoke (push) Has been cancelled
CI / Workflow lint (push) Has been cancelled
CI / Documentation (push) Has been cancelled
Web Frontend / Lint & Type Check (push) Failing after 1s
Auto-close harvested PRs / close (push) Failing after 1s
cargo-deny / cargo-deny (bans licenses sources) (push) Failing after 1s
Security audit / cargo-audit (push) Failing after 1s
Sync to CNB / sync (push) Failing after 1s
cargo-deny / cargo-deny (advisories) (push) Failing after 3s
Web Frontend / Deploy to Cloudflare (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:08:23 +08:00

68 lines
3.1 KiB
Markdown

# Workroom Security Model
## Scope
This document covers the security boundaries of CodeWhale Workrooms — the
durable, addressable containers for threaded agent conversations described
in [RFC 3209](rfcs/3209-workrooms.md).
Workrooms do **not** introduce any new network services, cloud dependencies,
or default-on public sharing. Security responsibility stays with the
operator who controls the Runtime API.
This document describes the intended security contract for the v0.9 workroom
surface. In v0.8.62, only protocol data types and link parsing have landed.
Persistent state, Runtime API endpoints, token scoping, event storage, and
model-visible link resolution remain follow-up work.
## Principles
1. **Local-first.** Future persisted workroom state should live under the
CodeWhale home directory, protected by user-only filesystem permissions.
No cloud sync, no telemetry, no third-party hosting.
2. **No secrets in links.** `codewhale://workroom/wr_...` URLs contain only
opaque UUIDs. They carry no API keys, bearer tokens, passwords, or file
paths. An adversary with a workroom link can do nothing without Runtime
API access.
3. **No public read paths.** Future workroom endpoints must require a valid
bearer token in the `Authorization` header. There should be no
unauthenticated `/workroom/...` route.
4. **No secrets in events.** `WorkroomEvent` payloads must never contain
API keys, auth tokens, or plaintext credentials. The `ArtifactLinked`
event kind references file paths, not contents. Events are intended for
indexing/reference, not for replaying agent tool output.
5. **Share is explicit.** A workroom is `Private` by default. The operator
may mark it `Shared` and list allowed bearer tokens. The operator
controls which tokens are issued, rotated, and revoked.
## Threat model
| Threat | Mitigation |
|---|---|
| Attacker obtains a workroom link | Link contains only opaque UUID; resolution requires Runtime API auth |
| Attacker brute-forces workroom IDs | UUID v4 (`2^122` space); future APIs should add rate limiting before exposing lookup surfaces |
| Attacker injects a malicious event | Future event writes should flow only through trusted Runtime clients |
| Attacker exfiltrates workroom state | Future filesystem state should be gated by OS user permissions and runtime auth |
| Bearer token leaks | Operator rotates tokens; future sharing rules should be revocable without touching workroom state |
## API auth
Future workroom endpoints should inherit the same auth middleware as other
protected routes (`/thread`, `/app`, `/tool`, etc.):
- `Authorization: Bearer <token>` header required
- Token validated against the runtime's configured bearer token(s)
- 401 Unauthorized if missing or invalid
## Future work
| Item | Risk | Status |
|---|---|---|
| Event encryption at rest | In scope for Phase 2 if workrooms move to a multi-user model | Not implemented |
| Audit log for shared workrooms | Useful if shared tokens are used across operators | Not implemented |
| Token scoping (read/write/admin) | Currently all tokens have full access | Not planned |