budgie

The server prioritizes security through its robust sandbox mode, running each sub-agent in an isolated Docker container. This provides filesystem isolation (only mounted working directory is RW), credential protection (host credentials like ~/.aws/ and ~/.ssh/ are explicitly not mounted, only kiro-cli auth is RO-mounted), and controlled execution. Each session uses a unique Docker volume for isolation and clean cleanup. The 'Mandatory directory parameter' forces explicit working directory control. However, the 'TODO' section explicitly notes the lack of a 'Prompt Sanitizer' to prevent prompt injection attacks, which is a significant acknowledged risk for a system orchestrating AI agents that can use powerful tools like 'execute_bash', 'fs_read', and 'web_fetch'. While the sandbox heavily mitigates the blast radius of such attacks, the prompt injection itself is not yet prevented at the input stage.