Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately by emailing:
security@<org>
Include a description of the issue, steps to reproduce, and any relevant context. You will receive an acknowledgement within a few business days.
agentixmesh is a single-machine, same-user message channel. The sender's uid is kernel-verified via fstat on an open file descriptor — the uid field in a message cannot be forged by another process running as the same user. An incoming mesh frame is treated as inert DATA, not as an instruction.
The DATA-framing mitigates prompt injection — it does not eliminate it. The receiving LLM remains the ultimate trust boundary. A message body grants no authority: the receiving session must not execute code, reveal secrets, or take irreversible actions based solely on the content of a mesh message body.
The trust boundary is exercised by an adversarial red-team suite (test_redteam_*.py) that
actively attacks the invariants and asserts each attack fails. It covers:
- sender/identity forgery — a message whose self-declared
fromfield claims a different uid than the real file owner is resolved on the kernel-verified owner (fstat-on-fd), never on the claimed field; - prompt-injection sanitation — forged frame tags, smuggled turn markers (fullwidth,
zero-width, bidi,
U+2028/U+2029line separators) and imitated metadata lines stay inert and line-prefixed inside the DATA frame; - gate body-withholding — a gated message reveals only inert metadata; the body never reaches the context window before approval;
- replay / dedup — a message is delivered at most once, keyed on the verified receiving address, not on any attacker-controllable field;
- filesystem attacks — symlink/hardlink swaps, non-regular files and unsafe modes are rejected fail-closed;
- same-uid
autodefense-in-depth — the only path to autonomous handling (sender_uid == my_uid) now requires the caller to explicitly assert kernel-verification (sender_verified=True). Without that assertion the resolver is fail-safe: it degrades to a human gate rather than acting autonomously, so a caller that ever passes an unverified uid can never silently reachauto. A foreign uid is engine-clamped and can never reachautoregardless of policy.
All of these pass in the current release.
Cross-user and cross-machine transport are a separate, private, not-yet-live layer and are outside the scope of this public tool. Do not report issues about multi-user or networked scenarios against this repository — those surfaces are not exposed here.
Only the current release on the main branch is supported.