Security Deep Dive

Security

4 critical vulnerabilities identified by 10 review agents. 12-item remediation roadmap phased to ship fixes before their respective features reach production.

Critical Vulnerabilities

Each critical must be resolved before its associated phase ships. No exceptions.

CRITICAL-1

Hook Command Injection

Unsanitized file paths passed as shell arguments become metacharacters. A file named ; rm -rf / executes arbitrary commands.

Before Phase 2R2/R18

CRITICAL-2

Rule-Based Prompt Injection

Cloned repo ships crafted alwaysApply: true rules in project config. Rules become part of system prompt, manipulating agent behavior.

Before Phase 2R17

CRITICAL-3

Memory Secrets Leakage

Prompt injection writes malicious instructions or API keys to persistent memory. Facts persist across sessions, creating permanent compromise.

Before Phase 5R5/R14

CRITICAL-4

MCP Untrusted Server Instructions

Project-level MCP config with a command field is arbitrary code execution via repo cloning. Server instructions can also inject into the agent’s system prompt.

Before Phase 6R9

Remediation Roadmap

12 remediation items ordered by phase dependency. Each item blocks its associated feature from shipping.

remediation timeline
── Before Phase 2 ──
1. Hook security model: user-level only, stdin JSON, restricted updatedInput
2. Rule trust boundaries: project-level untrusted, alwaysApply user-only, 2KB/10KB limits
3. TTSR retry cap: max 3 per session across all rules, log all corrections
── Before Phase 3 ──
4. Subagent tool restriction: explicit tools field, no bash for read-only agents
5. Git state protection: filter destructive git ops in worktrees, --detach for read-only
── Before Phase 5 ──
6. Secrets regex: full pattern list + base64 entropy detection
7. Extraction LLM isolation: hardcoded prompt, immune to session context
8. Memory content validation: reject instructions, tag provenance, confirm global writes
── Before Phase 6 ──
9. MCP sandbox: untrusted tags, namespace tools (mcp_*), user-level config only
10. Autonomous opt-in: explicit --autonomous flag, not TTY inference. $50 hard ceiling.
── Across All Phases ──
11. Strip API keys from child process env (hooks, MCP, subagents)
12. Security-critical flags: dual opt-in (remote + local) for hooks, autonomous, subagents

Trust Boundary Model

Five trust levels governing how input from each source is processed by the agent.

Source
Trust Level
alwaysApply
ttsrTrigger
Commands
User config (~/.subq/)
Full
Yes
Yes
Yes
User rules (~/.subq/rules/)
Full
Yes
Yes
N/A
AGENTS.md (project)
Trusted
Yes
No
No
Project rules (.subq/, .cursor/)
Untrusted
No
No
No
MCP server instructions
Untrusted
No
No
Confirm

Additional Security Findings

5 High-severity and 6 Medium-severity findings from the 10-agent review.

HIGH-1: Subagent Tool Access

Default subagent gets full tools including bash. Read-only agents must spawn without bash, edit, or write.

HIGH-2: Git Worktree Shared State

Subagents in worktrees can modify .git/hooks/, run git gc, delete branches. Filter destructive git operations.

HIGH-3: updatedInput Escalation

Hook returning updatedInput can rewrite bash command or edit file_path outside project. Restrict mutations.

HIGH-4: TTSR Cascade DoS

Broad regex in project-level ttsrTrigger forces constant retries. Reject project-level TTSR. Cap retries at 3.

HIGH-5: Hook R4 Override

Hook approve decision bypasses risk-based authorization. Hooks cannot override destructive classification.

MEDIUM-1: Env Override

SUBQ_SYSTEM_INSTRUCTIONS_FILE bypasses all safety rules. Log warning when active.

MEDIUM-2: Orphan Timeout

5-minute orphan subagent with bash access. Reduce to 60 seconds.

MEDIUM-3: API Key Inheritance

Child processes inherit OPENROUTER_API_KEY. Strip from hook/subagent/MCP env.

MEDIUM-4: Memory Lock Race

Manual write + autonomous extraction race on MEMORY.md. Use rename-based atomic writes.

MEDIUM-5: TTY-Based Autonomy

process.stdout.isTTY is spoofable. Focus detection should modulate verbosity, never permission level.

MEDIUM-6: Cross-Project Leak

Resuming project A’s session in project B may reference proprietary code. Strip tool output on cross-project resume.

Risk Matrix

Risk
Impact
Probability
Mitigation
Hook command injection
System
Medium
Stdin JSON, user-level only
Rule prompt injection
Agent
High
Untrusted project rules, size limits
Memory secrets leakage
Creds
Medium
Hardcoded prompt, regex scanning
MCP untrusted instructions
Data
Medium
Tag untrusted, namespace, user-only config
Cache boundary drift
Cost
Medium
CI lint + runtime monitoring
TTSR O(n²) performance
UX
Medium
Delta-scan with lastCheckedPosition
Git worktree lock contention
Perf
Low
Semaphore-serialized creation, 10 max