agent-relay is pre-1.0. Security fixes are handled on the main branch until release branches exist.
Please do not open a public issue for a vulnerability that exposes credentials, private prompts, workspace paths, or local machine access.
Report privately through GitHub Security Advisories when available. If advisories are not available for this repository, contact the maintainer through a private channel and include only the minimum redacted details needed to reproduce the issue.
- The relay is intended to run on a trusted machine.
- IM access is restricted with
ALLOWED_USER_IDS;ALLOWED_CONVERSATION_IDSis recommended for group or shared bot deployments. - The optional relay control API binds to
127.0.0.1and uses a startup-scoped bearer token passed only through the child agent environment. - Runtime logs at
debuglevel can include raw IM messages, prompts, and agent output chunks. - SQLite state can contain workspace names, bindings, thread IDs, transcript events, prompt state, approvals, and paged output.
Do not publish:
.env.data/agent-relay.sqlitelogs/- IM credentials
- allowlisted user or conversation IDs
- private workspace paths
- prompt text or assistant output that should not be public
- relay media under
.agent-relay/media