[secure] hyle

Guardrails, audit trails, and defense in depth

SECURITY DEMO

Security Controls

Destructive Command Blocking

Pattern matching blocks rm -rf, fork bombs, disk overwrites before execution

// Blocked patterns in src/tools.rs const BLOCKED_PATTERNS: &[&str] = &[ "rm -rf", "rm -r /", ":(){ :|:& };:", // fork bomb "dd if=/dev/zero", // disk overwrite "curl | sh", // RCE "wget | bash", // RCE "> /dev/sda", // disk write "mkfs.", // format disk ]; // Check runs before any bash execution fn is_blocked(cmd: &str) -> bool { BLOCKED_PATTERNS.iter().any(|p| cmd.contains(p)) }

Atomic File Writes

Write to temp file, fsync, rename. No partial writes. No corruption.

pub fn atomic_write(path: &Path, content: &[u8]) -> io::Result<()> { // 1. Write to temp file in same directory let temp = path.with_extension("tmp"); let mut file = File::create(&temp)?; file.write_all(content)?; // 2. Force to disk (critical for atomicity) file.sync_all()?; // 3. Atomic rename (POSIX guarantees) fs::rename(&temp, path)?; // 4. Verify content matches let readback = fs::read(path)?; assert_eq!(readback, content, "Write verification failed"); Ok(()) }

Backup Rotation

Timestamped backups for every modified file. Last 3 versions kept.

$ ls ~/.local/state/hyle/backups/myproject/ src/auth/jwt.rs.2026-01-10T14:23:15.bak src/auth/jwt.rs.2026-01-10T15:42:03.bak src/auth/jwt.rs.2026-01-10T16:18:47.bak $ hyle restore src/auth/jwt.rs --version 2026-01-10T14:23:15 Restored src/auth/jwt.rs from backup $ hyle restore src/auth/jwt.rs --list Available versions: 1. 2026-01-10T16:18:47 (latest) 2. 2026-01-10T15:42:03 3. 2026-01-10T14:23:15

Secure Config Storage

API key stored with 0600 permissions in XDG config directory

$ ls -la ~/.config/hyle/ total 8 drwx------ 2 user user 4096 Jan 10 14:00 . -rw------- 1 user user 256 Jan 10 14:00 config.json $ cat ~/.config/hyle/config.json { "api_key": "sk-or-v1-xxxx...redacted", "default_model": "deepseek-coder", "fallback_models": ["qwen/qwen-2.5-coder-32b-instruct"] } // Config is never logged, printed, or sent to telemetry // Key is read once at startup, stored in memory only

Audit Logging

Every operation logged with timestamp, prompt, file, and checksum

$ hyle audit --since "24h" --format json | jq '.[0]' { "timestamp": "2026-01-10T14:23:15.234Z", "session_id": "sess_8f3a2b1c", "operation": "write", "file": "src/auth/jwt.rs", "lines_changed": 47, "checksum_before": "sha256:a1b2c3d4...", "checksum_after": "sha256:e5f6g7h8...", "prompt": "add token expiration check", "model": "deepseek-coder", "backup_path": "~/.local/state/hyle/backups/..." }

Tool Timeout

60s default timeout on all tool executions. Configurable per-command.

// Default timeouts in config [timeouts] bash = "60s" read = "10s" write = "30s" glob = "10s" grep = "30s" // Long-running commands can be configured [timeouts.overrides] "cargo build" = "300s" "cargo test" = "600s" "npm install" = "300s" // Timeout triggers graceful shutdown, then SIGKILL // Output up to timeout point is captured and returned

Blocked Patterns

BLOCKED_PATTERNS in src/tools.rs

rm -rf Recursive force delete
rm -r / Root directory delete
:(){ :|:& }; Fork bomb
dd if=/dev/zero Disk overwrite
curl | sh Remote code execution
wget | bash Remote code execution
> /dev/sda Direct disk write
mkfs. Format filesystem

Audit Information

Test coverage 364 tests
Explicit panics 0
Dependencies 38 crates (cargo-audit clean)
unsafe blocks 0
License MIT
Source available Yes (GitHub)
!
Default Composable Velocity Reliable Depth Playful Observable Community Independent Learning Control Secure Flow