Documentation
Threat Model
How Duct enforces safety between humans, agents, peer shells, and your upstream APIs — and what integrators must still verify on their side.
Operator reference
The canonical long-form document lives atdocs/threat-model.md in the monorepo. This page summarizes the enforcement model after the 2026-07 security remediation pass.Actors and trust boundaries
Your API must verify Bearer tokens independently. X-Duct-Proxy is a hint, not proof of identity.
Token model
Confirmations (side-effects)
Agents receive 202 confirmation_required with an approval_url for a human. Approve/deny requires an approval_nonce embedded only in that URL — not returned to the agent. The execution_token is delivered on the approval page HTML only.
Intershell invariants (IS-*)
Cross-shell calls are gated on intershell_enabled, registry_visibility: public, explicit agentAccessible: true, optional allowedCallers, and the consent matrix. The same gates apply on /invoke for cross-shell agent callers — not only on /intershell/message.
Details: Inter-Shell Protocol.
SSRF posture
Upstream fetches resolve DNS once, reject private/loopback/metadata addresses, pin the resolved IP, and use redirect: manual with per-hop re-validation. Production must run with ALLOW_PRIVATE_UPSTREAM unset. Local Docker enables private upstreams for developer convenience only.
Residual risk
A manifestbaseUrl pointing at a public attacker origin can still harvest delegated tokens. Treat manifest push as a privileged operation and monitor baseUrl changes.Prompt injection
Cross-shell payloads are tagged as external data. Deterministic guards in the modality router enforce hop caps and tool policy — not prompt text alone. Synthesis is terminal: the shell ends the turn after synthesis. Side-effects still require human confirmation even if routing misfires.