Assistant Security and RBAC
The assistant module implements a multi-layered security model based on Role-Based Access Control (RBAC) and strict isolation boundaries.
RBAC Model
The system uses a predefined set of roles to control access to tools and features:
| Role | Description |
|---|---|
| MasterAdmin | Full system access, dynamic tool creation, sensitive infra tools. |
| Partner | High-level business and management tools. |
| Friend | Access to personal productivity and general tools. |
| Business | Restricted to business-specific worker agents. |
| Guest | Highly restricted, public-facing tools only. |
| Banned | Zero access to the assistant module. |
Access Control Layers
1. Tool Filtering
During session creation, the assistant module filters the global tool registry. Tools are only added to a session's Tools map if the user's role matches one of the AllowedRoles defined in the tool's markdown.
2. Path Traversal & Command Security
- File Isolation: File operations use
filepath.Clean()and block any paths containing..to prevent directory traversal. - Destructive Pattern Blocking: The
IsRemoteCommandSafe()function blocks dangerous shell commands (e.g.,rm,mkfs,dd,shutdown) from being executed via SSH tools. - Confirmed Operations: Destructive actions like file deletion require an explicit
confirmed=trueparameter in the tool call.
3. Execution Sandboxing
- Bubblewrap: Project terminal executions run in a
bwrapsandbox on Linux, isolating the workspace and restricting access to host directories and namespaces. - Containerization: Certain agents (like Nikki) operate within dedicated containers (e.g.,
nikki.dlan) with limited network reach.
Implementation Details
- Contacts Mapping: User roles are defined in
assistant/contacts.json, mapping platform-specific IDs (Discord, WhatsApp, Telegram) to names and roles. - Role Enforcement:
assistant/assistant.gocontains the logic for tool filtering and role-based prompt injection.
Component Diagram: Security Layers
graph TD
User([User Request]) --> RBAC[Role-Based Access Control]
RBAC --> Filter[Tool Filter: Role check]
Filter --> Sandbox[Sandbox: Bubblewrap/Container]
Sandbox --> Guard[Command Guard: Dangerous pattern block]
Guard --> Execution[Shell Execution]
subgraph "Isolation Barriers"
Filter
Sandbox
Guard
end
Guidance for AI Agents
- Role Limitations: Respect the user's role. If a tool is unavailable, explain that it requires higher permissions.
- Safety First: Never attempt to bypass command filters. If a legitimate command is blocked, suggest an alternative or ask the user to perform the action manually.
- Sanitization: Always sanitize user-provided filenames or paths before passing them to tools.
Cross-References
- Security-RBAC.md (Original Reference)
- Features/assistant/tool-execution.md