Skip to content
Docs for muthr 0.1.53

Security

Threat model

Agent frameworks run with broad host privileges. Typical failure paths include:

  • compromised package install scripts
  • malicious transitive dependencies
  • prompt-induced shell execution of unsafe commands
  • over-broad filesystem reads leaking credentials or private keys

muthr contains failures to the sandbox.

What muthr mitigates

Host exposure

  • agent runtimes run inside sandbox containers, not on the host shell
  • project-only mounts prevent full-home access
  • runtime variables are explicit, not ambient

Supply-chain containment

Profiles (opencode/hermes) install package ecosystems inside container boundaries. A bad package impacts the sandbox first, not your host root.

Predictable teardown

muthr shutdown and lifecycle subcommands stop and reset all managed components.

Scriptability and verification

JSON/NDJSON output and deterministic command shape let operators implement policy checks in shell tooling.

Residual risk

muthr raises the bar but does not make agents safe by default. The following actions create attack surface:

  • Mounting sensitive files (private keys, .env files) into a sandbox
  • Executing untrusted binaries manually inside a sandbox
  • Overriding safe defaults (bind_host, workspace_root)
  • Running sandboxes as root or with elevated privileges

Use --audit-log for any session where you need a record of what happened inside the container.

Apple container backend

muthr uses Apple container tooling instead of ad-hoc chroot or shell wrappers. This provides a virtualization-backed isolation boundary with explicit lifecycle primitives (create, start, exec, stop, delete) and network controls.

  • virtualization-backed isolation on Apple Silicon
  • lifecycle primitives (create, start, exec, stop, delete)
  • network controls through the container API
  1. Keep workspace_root scoped to ~/src (never $HOME).
  2. Run agents through muthr sandbox shell --profile ....
  3. Keep host secrets outside project directories.
  4. Use muthr doctor before major runtime changes.
  5. Use --audit-log for sensitive sessions.
  6. Use muthr shutdown --yes when done.

Limits

muthr contains agent execution. It cannot inspect agent reasoning, validate generated code for logic errors, or prevent social engineering inside the container. Agents with valid credentials can still exfiltrate data through allowed network paths. Use --audit-log and least-privilege profiles to mitigate.


See also: Concepts · Sandbox Architecture · Configuration

Built with disciplined interfaces and explicit contracts.