Security Model: How to Run Safely

# Security Model: How to Run Safely

Instar runs Claude Code with `--dangerously-skip-permissions`. This gives your agent full system access — which is what makes it powerful, and why understanding the security model matters.

## The Short Version

Instar is **power-user infrastructure**, not a sandbox. Security comes from multiple defense layers, not from restricting capabilities.

## Defense Layers

### 1. Behavioral Hooks (Pre-execution)
Command guards intercept destructive operations before they execute:
- `rm -rf /` → blocked
- `git push --force` → blocked
- `DROP TABLE` → blocked

These are configurable. See [Hooks Reference](https://instar.sh/reference/hooks/).

### 2. Safety Gates (LLM-supervised)
External operations (API calls, emails, posts) go through an LLM-supervised review gate:
- Each service has an adaptive trust score
- Low-trust services require explicit approval
- Trust builds over time with successful operations

See [Safety Gates](https://instar.sh/features/safety-gates/).

### 3. Network Hardening
- API binds to localhost only by default
- CORS restrictions
- Rate limiting on all endpoints

### 4. Identity Coherence
An agent with strong identity is harder to manipulate via prompt injection. Instar's identity hooks re-ground the agent at every session boundary.

### 5. Decision Journaling
Every significant decision is logged with rationale. This creates an audit trail and makes the agent's reasoning inspectable.

## Recommendations

### For Personal Use
The default configuration is reasonable for personal use on your own machine. The behavioral hooks catch the most common destructive mistakes.

### For Shared Environments
- Run in a container (Dockerfile provided)
- Use a dedicated user account with limited permissions
- Review and customize the command guard hook for your environment
- Monitor the decision journal regularly

### What NOT to Do
- Don't run Instar on a machine with production databases unless you understand the risks
- Don't expose the API port to the internet
- Don't disable behavioral hooks without understanding what they protect

## Reporting Security Issues

See [SECURITY.md](https://github.com/SageMindAI/instar/blob/main/SECURITY.md) for responsible disclosure guidelines.

## Further Reading

- [Coherence Is Safety](https://instar.sh/concepts/safety/) — why identity and memory are security features
- [SECURITY.md](https://github.com/SageMindAI/instar/blob/main/SECURITY.md) — vulnerability reporting
- [Hooks Reference](https://instar.sh/reference/hooks/) — all 8 behavioral hooks explained

---

*This issue is pinned for visibility. For security questions, use [GitHub Discussions Q&A](https://github.com/SageMindAI/instar/discussions/categories/q-a) or email the address in SECURITY.md.*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Model: How to Run Safely #19

Security Model: How to Run Safely

The Short Version

Defense Layers

1. Behavioral Hooks (Pre-execution)

2. Safety Gates (LLM-supervised)

3. Network Hardening

4. Identity Coherence

5. Decision Journaling

Recommendations

For Personal Use

For Shared Environments

What NOT to Do

Reporting Security Issues

Further Reading

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security Model: How to Run Safely #19

Description

Security Model: How to Run Safely

The Short Version

Defense Layers

1. Behavioral Hooks (Pre-execution)

2. Safety Gates (LLM-supervised)

3. Network Hardening

4. Identity Coherence

5. Decision Journaling

Recommendations

For Personal Use

For Shared Environments

What NOT to Do

Reporting Security Issues

Further Reading

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions