Security Model
Defense in Depth
Section titled “Defense in Depth”AI Butler uses multiple layers of security, each independent of the others:
Capability Engine
Section titled “Capability Engine”Every tool call is gated by a granular capability system. Tools declare required capabilities, and agents only have access to capabilities explicitly granted.
- Per-tool capability requirements
- Path-based, command-based, domain-based, channel-based, device-based scoping
- Rate limiting per capability
- TTL-based auto-revocation
- Full audit logging of every capability check
RBAC (Role-Based Access Control)
Section titled “RBAC (Role-Based Access Control)”Four roles with configurable permissions:
| Role | Tools | Channels | Memory | Config |
|---|---|---|---|---|
| Admin | All | All | Read/Write | Manage |
| User | Read/Write/Execute | Read/Write | Read/Write | Read |
| Viewer | Read only | Read only | Read only | Read |
| Agent | Execute only | Write only | Read only | None |
Authentication
Section titled “Authentication”Multiple authentication methods, stackable:
- Password (bcrypt, configurable cost)
- TOTP 2FA (RFC 6238, 30-second codes)
- OIDC SSO (OpenID Connect with PKCE)
- FIDO2/WebAuthn (hardware security keys, P-256 ECDSA)
Network Security
Section titled “Network Security”- SSRF protection — blocks requests to private/internal IP ranges (127.x, 10.x, 169.254.x, etc.)
- Rate limiting on all external endpoints (100 req/min default)
- A2A server binds to localhost by default
- TLS support for internet-facing deployments
- IP allowlist for dashboard access
Plugin Sandbox
Section titled “Plugin Sandbox”WASM plugins run in an Extism sandbox:
- No filesystem access without explicit grants
- No network access without explicit grants
- Capability-gated credential access (
credential.read:<key>) - Static analysis of plugin manifests before loading
- Per-plugin audit trail
Security Audit
Section titled “Security Audit”AI Butler has undergone a 59-pass security audit covering:
- SQL injection, path traversal, command injection
- SSRF, CSRF, CORS, cookie security
- Race conditions, resource leaks, goroutine safety
- Session management, token lifecycle, webhook verification
- Privilege escalation, capability bypass, prompt injection
- Zip bombs, ReDoS, HTTP smuggling, timing attacks
- Supply chain, dependency CVEs, build integrity
74 findings identified. 70 fixed. 4 documented as acceptable.
The complete pass-by-pass audit record is maintained internally and reviewed during pre-release gates.
Responsible Disclosure
Section titled “Responsible Disclosure”See SECURITY.md for reporting vulnerabilities.