sudocode

Sudocode operates directly within your Git repository, granting AI agents powerful capabilities including code modification, execution of arbitrary commands via tools (e.g., Bash), and direct manipulation of Git state (branches, worktrees). While designed for AI-assisted development, this level of access inherently carries risks. Key security considerations: 1. **Agent Autonomy**: Misconfigured or malicious agents could introduce bugs, compromise data, or execute unintended commands. The `dangerouslySkipPermissions` flag, if enabled, bypasses all interactive permission prompts, significantly increasing risk. 2. **Worktree Isolation**: Executions are isolated in Git worktrees by default, which is a strong protective measure, preventing direct modification of the main branch. However, changes are still intended to be merged back. 3. **Local-first Design**: All project data (`.sudocode/`) is version-controlled in your repository, and user-level credentials (`~/.config/sudocode/user_credentials.json`) are stored locally with restrictive `600` permissions, reducing external attack surface. 4. **External AI Services**: Relies on external AI CLI tools (Claude, Codex, Cursor). The security of the overall system is dependent on the security and behavior of these third-party agents. 5. **Plugins**: Supports third-party integration plugins, which could introduce vulnerabilities if not carefully vetted. 6. **Code Review**: Human oversight and code review of agent-generated changes are critical before merging to main branches. 7. **`restrictToWorkDir`**: The `AcpExecutorWrapper` supports a `restrictToWorkDir` option which, when enabled, configures a PreToolUse hook to block file operations outside the working directory. This enhances isolation but is not enabled by default for all execution modes.