Agentpack is designed as a local-first developer tool. The default threat model assumes task state may contain source paths, command output, stack traces, and implementation notes that should stay on the developer machine.
- No telemetry.
- No network calls in normal CLI or MCP operation.
- No dependency install or download during
agentpack install. - No
postinstallscript. - No shell hooks installed silently.
- No source upload or hosted sync.
- No full repository copy in
.agentpack/by default. - Runtime package has zero third-party dependencies in v0.
The project uses a conservative npm setup:
- zero runtime dependencies
- exact dependency versions
- committed lockfile
ignore-scripts=truefor installs- TypeScript compiler is the only build dependency
- the release workflow publishes from GitHub Actions via a Trusted Publisher OIDC binding
- versions published by that workflow ship with npm provenance — no long-lived npm tokens are stored anywhere
To verify a downloaded version of agentpack-cli:
npm audit signaturesFor workflow-published versions, the npmjs.com page for the package also shows a Provenance tab linking back to the exact commit, workflow run, and build environment that produced the tarball.
Before cutting a new release, maintainers should run:
npm ci
npm audit signatures
npm test
npm pack --dry-runThe full release flow is documented in docs/RELEASING.md.
Agentpack redacts common secret-looking values and configured environment variable values from generated context and key local records such as source summaries, evidence, checkpoints, replay output, and MCP context responses.
Redaction is best-effort, not a guarantee. Know its limits:
- The built-in pattern catches
key: value-style assignments whose key ends withapi_key,api-key,apikey,token,secret, orpasswordright before the:or=separator (case-insensitive).DATABASE_PASSWORD=...is caught;AWS_SECRET_ACCESS_KEY=...is not, becausesecretis not immediately followed by the separator. - Environment variable values are redacted only for the names listed in
config.jsonredactions.agentpack initseedsOPENAI_API_KEY,ANTHROPIC_API_KEY,GITHUB_TOKEN, andNPM_TOKEN; add your own names (for exampleDATABASE_URL,SLACK_BOT_TOKEN, cloud provider keys) per repo. - Secrets with other key names, multiline secrets (private keys, certificates), and secrets embedded in structured output can pass through unredacted.
Users should treat .agentpack/ as project-sensitive data, avoid pasting raw secrets into summaries or evidence, and review exported handoff files and bundles before sharing them.
Files written inside .agentpack/ (state, sources, events, task passports, evidence, checkpoints) and exported bundles are created with owner-only permissions (0600 for files, 0700 for directories). Ledgers initialized by older versions keep their original directory permissions; on shared machines, tighten them with chmod -R go-rwx .agentpack if needed. Generated client integration files (.mcp.json, AGENTS.md, CLAUDE.md, .cursor/, .codex/) are project configuration and keep default permissions.
Please report security issues privately through GitHub Security Advisories:
https://github.com/ihorponom/agentpack/security/advisories/new
This keeps the report hidden until a fix is ready and gives credit to the reporter. Do not open a regular issue for security problems.