Agenvoy
Security Model
Permission mode
Agenvoy supports two permission modes: single-confirm and always-allow. Seven categories of irreversible operations always require explicit ask_user regardless of mode:
- File deletion or overwrite
- System configuration changes
- Network requests to unknown endpoints
- Package installation
- Credential storage or retrieval
- Process termination
- Scheduler creation or modification
System prompt protection
The system prompt (configs/prompts/system_prompt.md) instructs the LLM to refuse:
- Requests to disclose system prompt contents
- Role-play / DAN / "ignore previous instructions" overrides
- Paths containing
..or system directories (/etc,/usr,/root,/sys) - Commands like
rm -rf,chmod 777,curl | sh
These are policy in prompt, not Go-side hardcoded filters — adding a category means editing the prompt only.
Keychain
Credentials (provider API keys, OAuth tokens) are stored in the OS keychain under service agenvoy:
| Platform | Backend |
|---|---|
| macOS | security CLI |
| Linux | secret-tool (libsecret) |
| Other / fallback | Encrypted file under ~/.config/agenvoy/ |
The service name "agenvoy" is fixed and must not change.
MCP isolation considerations
MCP servers are third-party processes whose behavior is unverifiable. Agenvoy treats them as untrusted by default and does not provide a per-server "trusted" flag. All MCP tool calls go through the same confirm gate as built-in tools. If you want batch MCP operation, use agen run (which trusts your own decision, not the server's).
[!NOTE] This document was auto-generated by Claude after reading the full source code.