feat(security): M14 security hardening (#134)

* feat(security): add M14 security hardening

Shell sandbox with configurable path restrictions and network control.
Confirmation flows for destructive commands with CLI and Telegram support.
A2A TLS enforcement, SSRF protection, configurable payload size limits.
Structured audit logging with stdout/file destinations.
Secret redaction in LLM responses with whitespace-preserving scanner.
Configurable timeout policies for LLM, embedding, and A2A operations.

Closes #91, closes #92, closes #93

* docs: update documentation for M14 security hardening

Add changelog entries for shell sandbox, confirmation flows, A2A security,
audit logging, secret redaction, and timeout policies. Update README with
expanded Security section, new env vars, and config examples. Add security
env vars to docker-compose files. Update setup-guide skill with new config
keys and env overrides.

* release: prepare v0.8.1

Author: bug-ops

CHANGELOG.md

@@ -6,6 +6,31 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased]
 
+## [0.8.1] - 2026-02-10
+
+### Added
+- Shell sandbox: configurable `allowed_paths` directory allowlist and `allow_network` toggle blocking curl/wget/nc in `ShellExecutor` (Issue #91)
+- Sandbox validation before every shell command execution with path canonicalization
+- `tools.shell.allowed_paths` config (empty = working directory only) with `ZEPH_TOOLS_SHELL_ALLOWED_PATHS` env override
+- `tools.shell.allow_network` config (default: true) with `ZEPH_TOOLS_SHELL_ALLOW_NETWORK` env override
+- Interactive confirmation for destructive commands (`rm`, `git push -f`, `DROP TABLE`, etc.) with CLI y/N prompt and Telegram inline keyboard (Issue #92)
+- `tools.shell.confirm_patterns` config with default destructive command patterns
+- `Channel::confirm()` trait method with default auto-confirm for headless/test scenarios
+- `ToolError::ConfirmationRequired` and `ToolError::SandboxViolation` variants
+- `execute_confirmed()` method on `ToolExecutor` for confirmation bypass after user approval
+- A2A TLS enforcement: reject HTTP endpoints when `a2a.require_tls = true` (Issue #92)
+- A2A SSRF protection: block private IP ranges (RFC 1918, loopback, link-local) with DNS resolution (Issue #92)
+- Configurable A2A server payload size limit via `a2a.max_body_size` (default: 1 MiB)
+- Structured JSON audit logging for all tool executions with stdout or file destination (Issue #93)
+- `AuditLogger` with `AuditEntry` (timestamp, tool, command, result, duration) and `AuditResult` enum
+- `[tools.audit]` config section with `ZEPH_TOOLS_AUDIT_ENABLED` and `ZEPH_TOOLS_AUDIT_DESTINATION` env overrides
+- Secret redaction in LLM responses: detect API keys, tokens, passwords, private keys and replace with `[REDACTED]` (Issue #93)
+- Whitespace-preserving `redact_secrets()` scanner with zero-allocation fast path via `Cow<str>`
+- `[security]` config section with `redact_secrets` toggle (default: true)
+- Configurable timeout policies for LLM, embedding, and A2A operations (Issue #93)
+- `[timeouts]` config section with `llm_seconds`, `embedding_seconds`, `a2a_seconds`
+- LLM calls wrapped with `tokio::time::timeout` in agent loop
+
 ## [0.8.0] - 2026-02-10
 
 ### Added

Cargo.lock

@@ -5,7 +5,7 @@ resolver = "3"
 [workspace.package]
 edition = "2024"
 rust-version = "1.88"
-version = "0.8.0"
+version = "0.8.1"
 authors = ["bug-ops"]
 license = "MIT"
 repository = "https://github.com/bug-ops/zeph"
@@ -51,14 +51,14 @@ tracing = "0.1"
 tracing-subscriber = "0.3"
 url = "2.5"
 uuid = "1.20"
-zeph-a2a = { path = "crates/zeph-a2a", version = "0.8.0" }
-zeph-channels = { path = "crates/zeph-channels", version = "0.8.0" }
-zeph-core = { path = "crates/zeph-core", version = "0.8.0" }
-zeph-llm = { path = "crates/zeph-llm", version = "0.8.0" }
-zeph-mcp = { path = "crates/zeph-mcp", version = "0.8.0" }
-zeph-memory = { path = "crates/zeph-memory", version = "0.8.0" }
-zeph-skills = { path = "crates/zeph-skills", version = "0.8.0" }
-zeph-tools = { path = "crates/zeph-tools", version = "0.8.0" }
+zeph-a2a = { path = "crates/zeph-a2a", version = "0.8.1" }
+zeph-channels = { path = "crates/zeph-channels", version = "0.8.1" }
+zeph-core = { path = "crates/zeph-core", version = "0.8.1" }
+zeph-llm = { path = "crates/zeph-llm", version = "0.8.1" }
+zeph-mcp = { path = "crates/zeph-mcp", version = "0.8.1" }
+zeph-memory = { path = "crates/zeph-memory", version = "0.8.1" }
+zeph-skills = { path = "crates/zeph-skills", version = "0.8.1" }
+zeph-tools = { path = "crates/zeph-tools", version = "0.8.1" }
 
 [workspace.lints.clippy]
 all = "warn"

Cargo.toml

@@ -48,7 +48,7 @@ docker pull ghcr.io/bug-ops/zeph:latest
 Or use a specific version:
 
 ```bash
-docker pull ghcr.io/bug-ops/zeph:v0.8.0
+docker pull ghcr.io/bug-ops/zeph:v0.8.1
 ```
 
 **Security:** Images are scanned with [Trivy](https://trivy.dev/) in CI/CD and use Oracle Linux 9 Slim base with **0 HIGH/CRITICAL CVEs**. Multi-platform: linux/amd64, linux/arm64.
@@ -130,12 +130,28 @@ enabled = true
 
 [tools.shell]
 timeout = 30
-blocked_commands = []  # Additional patterns beyond defaults
+blocked_commands = []
+allowed_commands = []
+allowed_paths = []          # Directories shell can access (empty = cwd only)
+allow_network = true        # false blocks curl/wget/nc
+confirm_patterns = ["rm ", "git push -f", "git push --force", "drop table", "drop database", "truncate "]
 
 [tools.scrape]
 timeout = 15
 max_body_bytes = 1048576  # 1MB
 
+[tools.audit]
+enabled = false             # Structured JSON audit log for tool executions
+destination = "stdout"      # "stdout" or file path
+
+[security]
+redact_secrets = true       # Redact API keys/tokens in LLM responses
+
+[timeouts]
+llm_seconds = 120           # LLM chat completion timeout
+embedding_seconds = 30      # Embedding generation timeout
+a2a_seconds = 30            # A2A remote call timeout
+
 [vault]
 backend = "env"  # "env" (default) or "age"
 
@@ -151,7 +167,7 @@ rate_limit = 60
 </details>
 
 > [!IMPORTANT]
-> Shell commands are filtered for safety. See [Security](#security) section for complete list of 12 blocked patterns and customization options.
+> Shell commands are sandboxed with path restrictions, network control, and destructive command confirmation. See [Security](#security) for details.
 
 <details>
 <summary><b>🔧 Environment Variables</b> (click to expand)</summary>
@@ -178,6 +194,17 @@ rate_limit = 60
 | `ZEPH_A2A_PUBLIC_URL` | Public URL for agent card discovery |
 | `ZEPH_A2A_AUTH_TOKEN` | Bearer token for A2A server authentication |
 | `ZEPH_A2A_RATE_LIMIT` | Max requests per IP per minute (default: 60) |
+| `ZEPH_A2A_REQUIRE_TLS` | Require HTTPS for outbound A2A connections (default: true) |
+| `ZEPH_A2A_SSRF_PROTECTION` | Block private/loopback IPs in A2A client (default: true) |
+| `ZEPH_A2A_MAX_BODY_SIZE` | Max request body size in bytes (default: 1048576) |
+| `ZEPH_TOOLS_SHELL_ALLOWED_PATHS` | Comma-separated directories shell can access (empty = cwd) |
+| `ZEPH_TOOLS_SHELL_ALLOW_NETWORK` | Allow network commands from shell (default: true) |
+| `ZEPH_TOOLS_AUDIT_ENABLED` | Enable audit logging for tool executions (default: false) |
+| `ZEPH_TOOLS_AUDIT_DESTINATION` | Audit log destination: `stdout` or file path |
+| `ZEPH_SECURITY_REDACT_SECRETS` | Redact secrets in LLM responses (default: true) |
+| `ZEPH_TIMEOUT_LLM` | LLM call timeout in seconds (default: 120) |
+| `ZEPH_TIMEOUT_EMBEDDING` | Embedding generation timeout in seconds (default: 30) |
+| `ZEPH_TIMEOUT_A2A` | A2A remote call timeout in seconds (default: 30) |
 
 </details>
 
@@ -299,7 +326,7 @@ context_budget_tokens = 8000  # Set to LLM context window size (0 = unlimited)
 
 ## Docker
 
-**Note:** Docker Compose automatically pulls the latest image from GitHub Container Registry. To use a specific version, set `ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.8.0`.
+**Note:** Docker Compose automatically pulls the latest image from GitHub Container Registry. To use a specific version, set `ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.8.1`.
 
 <details>
 <summary><b>🐳 Docker Deployment Options</b> (click to expand)</summary>
@@ -359,7 +386,7 @@ ZEPH_VAULT_KEY=./my-key.txt ZEPH_VAULT_PATH=./my-secrets.age \
 
 ```bash
 # Use a specific release version
-ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.8.0 docker compose up
+ZEPH_IMAGE=ghcr.io/bug-ops/zeph:v0.8.1 docker compose up
 
 # Always pull latest
 docker compose pull && docker compose up
@@ -417,18 +444,75 @@ Zeph implements defense-in-depth security for safe AI agent operations in produc
 **Configuration:**
 ```toml
 [tools.shell]
-timeout = 30  # Command execution timeout
+timeout = 30
 blocked_commands = ["custom_pattern"]  # Additional patterns (additive to defaults)
+allowed_paths = ["/home/user/workspace"]  # Restrict filesystem access
+allow_network = true  # false blocks curl/wget/nc
+confirm_patterns = ["rm ", "git push -f"]  # Destructive command patterns
 ```
 
 > [!IMPORTANT]
-> Custom patterns are **additive** — you cannot weaken default security. Matching is case-insensitive (`SUDO`, `Sudo`, `sudo` all blocked).
+> Custom blocked patterns are **additive** — you cannot weaken default security. Matching is case-insensitive.
+
+### Shell Sandbox
+
+Commands are validated against a configurable filesystem allowlist before execution:
+
+- `allowed_paths = []` (default) restricts access to the working directory only
+- Paths are canonicalized to prevent traversal attacks (`../../etc/passwd`)
+- `allow_network = false` blocks network tools (`curl`, `wget`, `nc`, `ncat`, `netcat`)
+
+### Destructive Command Confirmation
+
+Commands matching `confirm_patterns` trigger an interactive confirmation before execution:
+
+- **CLI:** `y/N` prompt on stdin
+- **Telegram:** inline keyboard with Confirm/Cancel buttons
+- Default patterns: `rm`, `git push -f`, `git push --force`, `drop table`, `drop database`, `truncate`
+- Configurable via `tools.shell.confirm_patterns` in TOML
+
+### Audit Logging
+
+Structured JSON audit log for all tool executions:
+
+```toml
+[tools.audit]
+enabled = true
+destination = "./data/audit.jsonl"  # or "stdout"
+```
+
+Each entry includes timestamp, tool name, command, result (success/blocked/error/timeout), and duration in milliseconds.
+
+### Secret Redaction
+
+LLM responses are scanned for common secret patterns before display:
+
+- Detected patterns: `sk-`, `AKIA`, `ghp_`, `gho_`, `xoxb-`, `xoxp-`, `sk_live_`, `sk_test_`, `-----BEGIN`
+- Secrets replaced with `[REDACTED]` preserving original whitespace formatting
+- Enabled by default (`security.redact_secrets = true`), applied to both streaming and non-streaming responses
+
+### Timeout Policies
+
+Configurable per-operation timeouts prevent hung connections:
+
+```toml
+[timeouts]
+llm_seconds = 120       # LLM chat completion
+embedding_seconds = 30  # Embedding generation
+a2a_seconds = 30        # A2A remote calls
+```
+
+### A2A Network Security
+
+- **TLS enforcement:** `a2a.require_tls = true` rejects HTTP endpoints (HTTPS only)
+- **SSRF protection:** `a2a.ssrf_protection = true` blocks private IP ranges (RFC 1918, loopback, link-local) via DNS resolution
+- **Payload limits:** `a2a.max_body_size` caps request body (default: 1 MiB)
 
 **Safe execution model:**
-- Commands parsed for blocked patterns before execution
+- Commands parsed for blocked patterns, then sandbox-validated, then confirmation-checked
 - Timeout enforcement (default: 30s, configurable)
-- Sandboxed execution with restricted environment
 - Full errors logged to system, sanitized messages shown to users
+- Audit trail for all tool executions (when enabled)
 
 ### Container Security
 

README.md

@@ -106,6 +106,12 @@ port = 8080
 public_url = ""
 # Rate limit: max requests per minute per IP (0 = unlimited)
 rate_limit = 60
+# Require TLS for outbound A2A connections
+require_tls = true
+# Block requests to private/loopback IPs
+ssrf_protection = true
+# Maximum request body size in bytes (1MB)
+max_body_size = 1048576
 
 [tools]
 # Enable tool execution (bash commands)
@@ -118,9 +124,33 @@ timeout = 30
 blocked_commands = []
 # Commands to remove from the default blocklist (e.g., ["curl", "wget"])
 allowed_commands = []
+# Restrict file access to these paths (empty = current directory only)
+allowed_paths = []
+# Allow network commands (curl, wget, nc)
+allow_network = true
+# Commands that require user confirmation before execution
+confirm_patterns = ["rm ", "git push -f", "git push --force", "drop table", "drop database", "truncate "]
 
 [tools.scrape]
 # HTTP request timeout in seconds
 timeout = 15
 # Maximum response body size in bytes (1MB)
 max_body_bytes = 1048576
+
+[tools.audit]
+# Enable audit logging for tool executions
+enabled = false
+# Audit destination: "stdout" or file path (e.g., "./data/audit.jsonl")
+destination = "stdout"
+
+[security]
+# Redact secrets (API keys, tokens) from LLM responses before display
+redact_secrets = true
+
+[timeouts]
+# LLM chat completion timeout in seconds
+llm_seconds = 120
+# Embedding generation timeout in seconds
+embedding_seconds = 30
+# A2A remote call timeout in seconds
+a2a_seconds = 30

config/default.toml

@@ -19,7 +19,8 @@ serde = { workspace = true, features = ["derive"] }
 subtle = { workspace = true, optional = true }
 serde_json.workspace = true
 thiserror.workspace = true
-tokio = { workspace = true, features = ["sync"] }
+tokio = { workspace = true, features = ["net", "sync"] }
+url.workspace = true
 tokio-stream.workspace = true
 tower = { workspace = true, optional = true }
 tower-http = { workspace = true, optional = true, features = ["limit", "trace"] }