⚠️ Status: This document details the security posture of APEX v1.3.0

APEX implements a multi-tier permission system (T0-T3) with increasing verification requirements:

All API requests require HMAC-SHA256 signature authentication:

X-APEX-Signature: <hmac-sha256-signature>
X-APEX-Timestamp: <unix-timestamp>

Signature Calculation:

message = timestamp + method + path + body
signature = HMAC-SHA256(shared_secret, message)

• Timestamp must be within 5 minutes to prevent replay attacks
• Set APEX_AUTH_DISABLED=1 for local development ONLY

Task execution includes capability tokens that encode:

• Task ID
• Permission tier
• Allowed skills
• Allowed domains
• Expiration time
• Maximum cost

T3 operations require TOTP verification using totp-rs:

// TOTP configuration
Secret key: Base32-encoded, stored securely
Digits: 6
Period: 30 seconds
Algorithm: SHA1

• shell.execute - Shell command execution
• Any skill marked as T3 tier

APEX implements token bucket rate limiting to prevent DoS:

APEX uses Docker with hardened security settings:

# Resource limits
--memory 2048m              # 2GB memory limit
--cpus 2                    # 2 CPU cores
--pids-limit 256            # Max 256 processes

# Isolation
--network none              # Network isolation (no internet access)
--read-only                 # Read-only filesystem
--tmpfs /tmp:rw,exec       # Writable tmpfs for temp files
--cap-drop ALL              # Drop all capabilities
--privileged=false          # Not privileged
--restart no                # No auto-restart
--rm                        # Auto-remove on exit
--stop-timeout 10           # Graceful shutdown

Firecracker provides stronger isolation via microVMs:

• No shared kernel with host
• Near-native performance
• Minimal attack surface

• All user input is parameterized in SQL queries
• Using sqlx with bind variables

Agent prompts include sanitization for:

• DAN/jailbreak patterns
• Developer mode bypass attempts
• New instruction overrides
• Spanish-to-English translation tricks

• Sanitized identifiers (alphanumeric, dash, underscore, space only)
• Path traversal prevention

• Network isolation: none (no internet by default)
• Memory limit: 2048MB
• CPU limit: 2
• Process limit: 256

• --memory=2048m
• --cpus=2
• --pids-limit=256
• --network=none
• --read-only filesystem with --tmpfs=/tmp

• Runsc sandbox for container isolation
• Network namespace isolation

All security-relevant events are logged:

// Audit log entry
struct AuditEntry {
    timestamp: DateTime<Utc>,
    action: String,
    actor: String,
    resource: String,
    outcome: String,  // success/failure
    metadata: Json,
}

• T3 operations require hardware token
• Constitution values immutable without T3
• SOUL.md checksum verification

1. Pre-alpha status - Not production-ready
2. No security audit - Requires third-party review
3. Local-only by default - Bind to localhost
4. Single-user model - No multi-tenancy

MCP servers are managed via McpServerManager with connection pooling:

• Configurable min/max connections per server
• Connection timeout and idle timeout
• Health check on all pooled connections

All MCP tool arguments are validated:

• Shell injection (;, |, &&, etc.)
• Path traversal (../, absolute paths)
• Code execution (eval, exec, __import__)

1. Enable TOTP for all destructive operations
2. Use Firecracker/gVisor isolation (or Docker with hardened settings)
3. Configure network allowlists
4. Enable audit log retention
5. Rotate shared secret regularly
6. Enable rate limiting
7. Use TLS in production

Last Updated: 2026-03-06