Security
Threat model
Agent frameworks run with broad host privileges. Typical failure paths include:
- compromised package install scripts
- malicious transitive dependencies
- prompt-induced shell execution of unsafe commands
- over-broad filesystem reads leaking credentials or private keys
muthr contains failures to the sandbox.
What muthr mitigates
Host exposure
- agent runtimes run inside sandbox containers, not on the host shell
- project-only mounts prevent full-home access
- runtime variables are explicit, not ambient
Supply-chain containment
Profiles (opencode/hermes) install package ecosystems inside container boundaries. A bad package impacts the sandbox first, not your host root.
Predictable teardown
muthr shutdown and lifecycle subcommands stop and reset all managed components.
Scriptability and verification
JSON/NDJSON output and deterministic command shape let operators implement policy checks in shell tooling.
Residual risk
muthr raises the bar but does not make agents safe by default. The following actions create attack surface:
- Mounting sensitive files (private keys,
.envfiles) into a sandbox - Executing untrusted binaries manually inside a sandbox
- Overriding safe defaults (
bind_host,workspace_root) - Running sandboxes as
rootor with elevated privileges
Use --audit-log for any session where you need a record of what happened inside the container.
Apple container backend
muthr uses Apple container tooling instead of ad-hoc chroot or shell wrappers. This provides a virtualization-backed isolation boundary with explicit lifecycle primitives (create, start, exec, stop, delete) and network controls.
- virtualization-backed isolation on Apple Silicon
- lifecycle primitives (
create,start,exec,stop,delete) - network controls through the container API
Recommended secure operating pattern
- Keep
workspace_rootscoped to~/src(never$HOME). - Run agents through
muthr sandbox shell --profile .... - Keep host secrets outside project directories.
- Use
muthr doctorbefore major runtime changes. - Use
--audit-logfor sensitive sessions. - Use
muthr shutdown --yeswhen done.
Limits
muthr contains agent execution. It cannot inspect agent reasoning, validate generated code for logic errors, or prevent social engineering inside the container. Agents with valid credentials can still exfiltrate data through allowed network paths. Use --audit-log and least-privilege profiles to mitigate.
See also: Concepts · Sandbox Architecture · Configuration