Skip to content

Security

Jump to bottom
dEXploarer edited this page Mar 9, 2026 · 1 revision

Security

This page covers Milady's security model: network binding, API authentication, config file permissions, and code review security principles.

Network binding

By default, both the Gateway API server and Dashboard bind to 127.0.0.1 (loopback only). Only processes on the local machine can reach them.

To expose over a network (e.g. in a container or cloud deployment):

MILADY_API_BIND=0.0.0.0 milady start

Always set an API token when binding to a non-loopback address. Without one, anyone who can reach the server has full access to the dashboard, agent control, and all API endpoints.

API token

Generate and set a token:

echo "MILADY_API_TOKEN=$(openssl rand -hex 32)" >> ~/.milady/.env

The token is sent as a bearer token in the Authorization header:

Authorization: Bearer <token>

Config file permissions

~/.milady/milady.json is written with mode 0600 (owner read/write only). The ~/.milady/ directory is created with mode 0700. This prevents other users on the system from reading your API keys.

Config include injection defense

The config supports a $include directive. To prevent injection attacks:

  • The API server blocks $include keys on all config-write endpoints
  • $include directives are stripped before any write to disk (stripIncludeDirectives in src/config/config.ts)

Verifying release downloads

All release binaries are signed and notarized. To verify:

cd ~/Downloads
curl -fsSLO https://github.com/milady-ai/milady/releases/latest/download/SHA256SUMS.txt
shasum -a 256 --check --ignore-missing SHA256SUMS.txt

macOS binaries are notarized with Apple. The installer removes the quarantine attribute after copying to /Applications.

Code review security model

From CONTRIBUTING.md: all PRs are treated with adversarial intent until proven otherwise. The review agent checks for:

  • Prompt injection vectors
  • Credential exposure in code or comments
  • Supply chain risks (new npm dependencies, postinstall scripts)
  • Data exfiltration patterns
  • Subtle behavior changes in auth or permissions paths

Secrets in config

  • API keys should go in ~/.milady/.env rather than directly in milady.json
  • logging.redactSensitive (default: "tools") redacts sensitive tokens in tool summaries
  • Never commit real credentials, phone numbers, or live config values to the repo
  • Use obviously fake placeholders in docs, tests, and examples

Database security

Run the database security tests:

bun run db:check

This runs src/api/database.security.test.ts, src/api/database.readonly-query-guard.test.ts, and the e2e database API tests.

SSRF and memory bounds

The codebase includes network-policy (SSRF) tests and memory-bounds test suites in src/security/.

Responsible disclosure

Open a GitHub issue with the category:security label. The agent review pipeline prioritizes security issues.

Clone this wiki locally