diff --git a/.github-minimum-intelligence/docs/final-warning.md b/.github-minimum-intelligence/docs/final-warning.md index 654278e..5dc5a62 100644 --- a/.github-minimum-intelligence/docs/final-warning.md +++ b/.github-minimum-intelligence/docs/final-warning.md @@ -1,8 +1,8 @@ -# ⚠️ FINAL WARNING +# Before You Begin -## Important Safety Information +## Important Information -**Read this entire document before using this software. Keep it for future reference.** +**We recommend reading this document before using this software. It covers what the system does, what to be aware of, and how to use it responsibly.** --- @@ -12,23 +12,25 @@ This is an AI-powered coding infrastructure. It is intended for use by qualified --- -### Blast Radius +### Capabilities and Scope -Before deploying this system, understand what could go wrong. The [Blast Radius Analysis](warning-blast-radius.md) is a factual, evidence-based audit of the out-of-the-box capabilities available to the agent running as a GitHub Actions workflow. +Before deploying this system, it helps to understand what the agent can access. The [Capabilities Analysis](warning-blast-radius.md) is a factual, evidence-based audit of the out-of-the-box capabilities available to the agent running as a GitHub Actions workflow. -**Key findings:** +> **Note:** Most of these capabilities are standard properties of any GitHub Actions workflow running on `ubuntu-latest`. They are not unique to this project. We document them here so you can make informed decisions about your security posture. -| Dimension | Severity | +**Key areas to be aware of:** + +| Dimension | Level | |---|---| -| Code & Repository Tampering | πŸ”΄ CRITICAL | -| Supply Chain Poisoning | πŸ”΄ CRITICAL | -| Secret Exfiltration | πŸ”΄ CRITICAL | -| Lateral Movement (Org) | πŸ”΄ CRITICAL | -| Network Egress | 🟠 HIGH | -| Compute Abuse | 🟠 HIGH | -| Persistence | 🟑 MEDIUM | +| Code & Repository Access | πŸ”΄ High priority | +| Supply Chain Considerations | πŸ”΄ High priority | +| Secret Exposure | πŸ”΄ High priority | +| Cross-Repository Access (Org) | πŸ”΄ High priority | +| Network Egress | 🟠 Moderate priority | +| Compute Resources | 🟠 Moderate priority | +| Persistence | 🟑 Low priority | -**Overall:** One compromised issue comment can lead to full organizational code takeover, secret theft, and supply chain attacks on downstream consumers. +**Summary:** Like any GitHub Actions workflow with write permissions, the agent has broad access to the repository and its secrets. Standard hardening practices (branch protection, scoped tokens, code review) are recommended β€” see the full analysis for details. πŸ“– **Full analysis:** [warning-blast-radius.md](warning-blast-radius.md) @@ -36,17 +38,17 @@ Before deploying this system, understand what could go wrong. The [Blast Radius --- -### Warnings and Precautions +### Things to Keep in Mind -⚠️ **WARNING:** AI-generated code may contain errors, hallucinations, or security vulnerabilities. Never deploy to production without human review. +- **AI-generated code may contain errors, hallucinations, or security vulnerabilities.** Always review before deploying to production. -⚠️ **WARNING:** Do not use AI output as the sole basis for decisions affecting human safety, liberty, or livelihood. +- **Do not use AI output as the sole basis for decisions affecting human safety, liberty, or livelihood.** -⚠️ **WARNING:** This software may produce confident-sounding responses that are factually incorrect. Verify all claims independently. +- **This software may produce confident-sounding responses that are factually incorrect.** Verify important claims independently. -⚠️ **WARNING:** Outputs may reflect biases present in training data. Exercise professional judgment at all times. +- **Outputs may reflect biases present in training data.** Exercise professional judgment at all times. -⚠️ **WARNING:** Do not feed secrets, API keys, passwords, or private credentials into AI prompts. +- **Do not feed secrets, API keys, passwords, or private credentials into AI prompts.** --- @@ -133,7 +135,7 @@ Like all powerful tools, this software may cause side effects. Not everybody exp ### The Four Laws of AI -This system defines [The Four Laws of AI](the-four-laws-of-ai.md), adapted from Asimov's Laws of Robotics for AI infrastructure, we recommend you use them: +This system defines [The Four Laws of AI](the-four-laws-of-ai.md), adapted from Asimov's Laws of Robotics for AI infrastructure. We recommend you adopt them: | Law | Principle | Summary | |-----|-----------|---------| @@ -160,7 +162,7 @@ This system defines five operational readiness states modelled on military DEFCO | [DEFCON 4](transition-to-defcon-4.md) | **Above Normal Readiness** | Full capability, elevated discipline | All capabilities available, but confirm intent before every write. Minimize blast radius. No speculative changes. | | [DEFCON 5](transition-to-defcon-5.md) | **Normal Readiness** | Standard operations | All capabilities available. Default operating posture per agent instructions. | -⚠️ **Standing Order:** The agent must obey DEFCON transitions immediately. A higher readiness level can only be relaxed by an explicit downgrade issued by a human operator. +**Standing Order:** The agent must obey DEFCON transitions immediately. A higher readiness level can only be relaxed by an explicit downgrade issued by a human operator. --- @@ -191,7 +193,7 @@ Maintained by humans, for humans. --- -**⚠️ IN CASE OF EMERGENCY:** `git revert`, then think. +**If something goes wrong:** `git revert`, then think.

diff --git a/.github-minimum-intelligence/docs/incident-response.md b/.github-minimum-intelligence/docs/incident-response.md index c77a643..2cace60 100644 --- a/.github-minimum-intelligence/docs/incident-response.md +++ b/.github-minimum-intelligence/docs/incident-response.md @@ -1,6 +1,6 @@ # 13. Incident Response Plan -> πŸ“– [Documentation Index](./index.md) Β· [Security Assessment](./security-assessment.md) Β· [Blast Radius Analysis](./warning-blast-radius.md) +> πŸ“– [Documentation Index](./index.md) Β· [Security Assessment](./security-assessment.md) Β· [Capabilities Analysis](./warning-blast-radius.md) > > **Classification:** Internal β€” For Repository Maintainers and Organization Administrators > diff --git a/.github-minimum-intelligence/docs/index.md b/.github-minimum-intelligence/docs/index.md index 6899f2e..d7bed05 100644 --- a/.github-minimum-intelligence/docs/index.md +++ b/.github-minimum-intelligence/docs/index.md @@ -2,7 +2,7 @@ > Comprehensive guide to all GitHub Minimum Intelligence documentation. > -> **Start here:** [README](../../README.md) Β· **Safety:** [FINAL WARNING](./final-warning.md) Β· **Laws:** [The Four Laws of AI](./the-four-laws-of-ai.md) +> **Start here:** [README](../../README.md) Β· **Before You Begin:** [Important Information](./final-warning.md) Β· **Laws:** [The Four Laws of AI](./the-four-laws-of-ai.md) --- @@ -21,7 +21,7 @@ | Document | Description | |----------|-------------| -| [⚠️ FINAL WARNING](./final-warning.md) | Important safety information, warnings, precautions, side effects, and the complete governance framework. **Read this first.** | +| [Before You Begin](./final-warning.md) | Important usage information, precautions, side effects, and the complete governance framework. **Read this first.** | | [The Four Laws of AI](./the-four-laws-of-ai.md) | The Zeroth, First, Second, and Third Laws governing all AI behavior in this system. | --- @@ -31,7 +31,7 @@ | Document | Description | |----------|-------------| | [Security Assessment](./security-assessment.md) | Comprehensive security review covering threat model, vulnerability assessment, access control, supply chain, and compliance with the Four Laws. | -| [⚠️ Blast Radius Analysis](./warning-blast-radius.md) | Evidence-based audit of agent capabilities and what could go wrong β€” code tampering, secret exfiltration, lateral movement, and persistence mechanisms. | +| [Capabilities Analysis](./warning-blast-radius.md) | Evidence-based audit of agent capabilities and access scope β€” code access, secret exposure, cross-repository access, and persistence mechanisms. | | [Incident Response Plan](./incident-response.md) | Step-by-step procedures for containment, eradication, recovery, and hardening after a security incident. | --- diff --git a/.github-minimum-intelligence/docs/security-assessment.md b/.github-minimum-intelligence/docs/security-assessment.md index 00f8268..83a1fd7 100644 --- a/.github-minimum-intelligence/docs/security-assessment.md +++ b/.github-minimum-intelligence/docs/security-assessment.md @@ -1,6 +1,6 @@ # Security Assessment -> πŸ“– [Documentation Index](./index.md) Β· [Blast Radius Analysis](./warning-blast-radius.md) Β· [Incident Response](./incident-response.md) +> πŸ“– [Documentation Index](./index.md) Β· [Capabilities Analysis](./warning-blast-radius.md) Β· [Incident Response](./incident-response.md) > > **Classification:** Internal - For Repository Maintainers and Organization Administrators > @@ -35,10 +35,12 @@ ## 1. Executive Summary -### Overall Security Posture: πŸ”΄ CRITICAL +### Overall Security Posture: Needs Hardening The `github-minimum-intelligence` system is an AI coding agent that runs autonomously inside GitHub Actions, triggered by issue events. It can read files, execute arbitrary bash commands, edit code, and push changes to the repository. +> **Note:** Many of the findings below are standard properties of GitHub Actions workflows running on `ubuntu-latest` runners. They are documented here for completeness so you can make informed decisions about hardening your deployment. + **Key Findings:** | # | Finding | Severity | Status | @@ -54,7 +56,7 @@ The `github-minimum-intelligence` system is an AI coding agent that runs autonom | SEC-009 | Single dependency on third-party agent package | 🟑 Medium | Open | | SEC-010 | No runtime command allowlist or sandbox | 🟠 High | Open | -**Bottom Line:** Any user with write access to this repository can trigger an AI agent that has the capability to compromise the entire `japer-technology` GitHub organization. The authorization check in the workflow mitigates casual abuse, but does not protect against compromised contributor accounts, social engineering, or prompt injection attacks delivered via issue content. +**Bottom Line:** Any user with write access to this repository can trigger the AI agent, which has the same access as any GitHub Actions workflow β€” including repository write access and environment secrets. The authorization check in the workflow ensures only trusted collaborators can trigger it. For additional hardening, see the recommendations in [Section 12](#12-recommendations). --- @@ -531,7 +533,7 @@ Assessment of the current system against [AGENTS.md](../AGENTS.md) (The Four Law | # | Action | Effort | Impact | |---|--------|--------|--------| | 1 | **Enable branch protection on `main`** - require PR reviews, prevent direct pushes | Low | Eliminates unreviewed code deployment | -| 2 | **Scope GITHUB_TOKEN** - replace with fine-grained PAT limited to `gmi-test-1` | Medium | Eliminates org-wide blast radius | +| 2 | **Scope GITHUB_TOKEN** - replace with fine-grained PAT limited to `gmi-test-1` | Medium | Reduces scope of access to this repository only | | 3 | **Add CODEOWNERS** - require admin review for `.github/` directory changes | Low | Prevents workflow injection | | 4 | **Pin dependency versions** - remove `^` from `package.json`, pin Actions to SHAs | Low | Reduces supply chain risk | | 5 | **Rotate ANTHROPIC_API_KEY** - as a precautionary measure | Low | Invalidates any prior exposure | @@ -649,10 +651,10 @@ This project follows a coordinated disclosure model: ## Appendix B: References -- [warning-blast-radius.md](./warning-blast-radius.md) - Empirical threat analysis of agent capabilities +- [warning-blast-radius.md](./warning-blast-radius.md) - Capabilities analysis of agent access - [transition-to-defcon-1.md](./transition-to-defcon-1.md) - Proposed capability lockdown framework - [AGENTS.md](../AGENTS.md) - The Four Laws of AI Infrastructure -- [final-warning.md](./final-warning.md) - Safety information +- [final-warning.md](./final-warning.md) - Important usage information - [PACKAGES.md](../PACKAGES.md) - Dependency inventory - [GitHub Actions Security Hardening](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) - [OpenSSF Scorecard](https://securityscorecards.dev/) - Automated supply chain security assessment diff --git a/.github-minimum-intelligence/docs/the-four-laws-of-ai.md b/.github-minimum-intelligence/docs/the-four-laws-of-ai.md index be3bef1..005e13d 100644 --- a/.github-minimum-intelligence/docs/the-four-laws-of-ai.md +++ b/.github-minimum-intelligence/docs/the-four-laws-of-ai.md @@ -1,6 +1,6 @@ # The Four Laws of AI -> πŸ“– [Documentation Index](./index.md) Β· [FINAL WARNING](./final-warning.md) Β· [README](../../README.md) +> πŸ“– [Documentation Index](./index.md) Β· [Before You Begin](./final-warning.md) Β· [README](../../README.md) *Adapted from Isaac Asimov's Three Laws of Robotics for GitHub as AI Infrastructure* @@ -65,4 +65,4 @@ This means: --- -πŸ“– [Documentation Index](./index.md) Β· [FINAL WARNING](./final-warning.md) Β· [Security Assessment](./security-assessment.md) Β· [Blast Radius Analysis](./warning-blast-radius.md) +πŸ“– [Documentation Index](./index.md) Β· [Before You Begin](./final-warning.md) Β· [Security Assessment](./security-assessment.md) Β· [Capabilities Analysis](./warning-blast-radius.md) diff --git a/.github-minimum-intelligence/docs/warning-blast-radius.md b/.github-minimum-intelligence/docs/warning-blast-radius.md index c3a4805..a91a85b 100644 --- a/.github-minimum-intelligence/docs/warning-blast-radius.md +++ b/.github-minimum-intelligence/docs/warning-blast-radius.md @@ -1,6 +1,6 @@ -# ⚠️ Blast Radius Analysis +# Capabilities Analysis -> πŸ“– [Documentation Index](./index.md) Β· [Security Assessment](./security-assessment.md) Β· [Incident Response](./incident-response.md) Β· [FINAL WARNING](./final-warning.md) +> πŸ“– [Documentation Index](./index.md) Β· [Security Assessment](./security-assessment.md) Β· [Incident Response](./incident-response.md) Β· [Before You Begin](./final-warning.md)

@@ -8,29 +8,33 @@

-> **What could this AI agent do if it went rogue?** +> **What capabilities does the AI agent have?** > > This document is a factual, evidence-based audit of the out-of-the-box capabilities > available to the `github-minimum-intelligence` (GMI) agent running as a GitHub Actions > workflow on an `ubuntu-latest` runner. Every claim below was empirically verified > during this analysis. +> +> **Note:** The capabilities documented here are standard properties of GitHub Actions +> runners. They apply to any workflow running on `ubuntu-latest`, not just this project. +> We document them so you can make informed decisions about your security posture. --- ## Executive Summary -| Dimension | Severity | Notes | +| Dimension | Priority | Notes | |---|---|---| -| **Code & Repository Tampering** | πŸ”΄ CRITICAL | `contents: write` on this repo + git push access to **all org repos** | -| **Supply Chain Poisoning** | πŸ”΄ CRITICAL | Can modify workflow files, push code, create branches across the org | -| **Secret Exfiltration** | πŸ”΄ CRITICAL | Live `ANTHROPIC_API_KEY` and `GITHUB_TOKEN` in environment | -| **Lateral Movement (Org)** | πŸ”΄ CRITICAL | Token has read/write access to all `japer-technology` repositories | -| **Network Egress** | 🟠 HIGH | Unrestricted outbound internet (HTTP, DNS, SSH, arbitrary ports) | -| **Compute Abuse** | 🟠 HIGH | 2 CPU, 8GB RAM, 19GB disk, Docker with `--privileged`, sudo root | -| **Persistence** | 🟑 MEDIUM | Ephemeral VM, but can create workflows that re-trigger itself | -| **Cloud Provider Access** | 🟑 MEDIUM | `az`, `aws`, `gcloud`, `kubectl` CLIs installed (no creds found) | +| **Code & Repository Access** | πŸ”΄ High | `contents: write` on this repo + git push access to **all org repos** | +| **Supply Chain Considerations** | πŸ”΄ High | Can modify workflow files, push code, create branches across the org | +| **Secret Exposure** | πŸ”΄ High | Live `ANTHROPIC_API_KEY` and `GITHUB_TOKEN` in environment | +| **Cross-Repository Access (Org)** | πŸ”΄ High | Token has read/write access to all `japer-technology` repositories | +| **Network Egress** | 🟠 Moderate | Unrestricted outbound internet (HTTP, DNS, SSH, arbitrary ports) | +| **Compute Resources** | 🟠 Moderate | 2 CPU, 8GB RAM, 19GB disk, Docker with `--privileged`, sudo root | +| **Persistence** | 🟑 Low | Ephemeral VM, but can create workflows that re-trigger itself | +| **Cloud Provider Access** | 🟑 Low | `az`, `aws`, `gcloud`, `kubectl` CLIs installed (no creds found) | -**Overall blast radius: One compromised issue comment can lead to full organizational code takeover, secret theft, and supply chain attacks on downstream consumers.** +**Summary:** Like any GitHub Actions workflow with write permissions, the agent has broad access to the repository, its secrets, and the organization's other repositories. Standard hardening practices β€” branch protection, scoped tokens, code review β€” are recommended. See [Section 8: Mitigations](#8-mitigations-assessment) for what's already in place and what to add. --- @@ -322,9 +326,9 @@ While the GitHub Actions runner VM is **ephemeral** (destroyed after the job), a ## 10. Conclusion -### ⚠️ **The blast radius is not this repository, it is the entire organisation and its downstream dependents.** +### **The scope of access extends beyond this repository to the entire organisation and its downstream dependents.** -The GMI agent, out-of-the-box, operates with **extraordinary privilege** relative to its intended purpose (responding to GitHub issues). The combination of: +The GMI agent, out-of-the-box, operates with **broad privilege** relative to its intended purpose (responding to GitHub issues). This is not unique to GMI β€” it is a property of any GitHub Actions workflow with write permissions on an organization-scoped token. The combination of: 1. **Unrestricted root access** on the runner 2. **Org-wide repository write access** via `GITHUB_TOKEN` @@ -333,6 +337,8 @@ The GMI agent, out-of-the-box, operates with **extraordinary privilege** relativ 5. **Docker with privileged mode** 6. **Full compiler toolchains** and language runtimes -...means that a single rogue agent invocation - triggered by nothing more than opening a GitHub issue - could compromise an entire organization's codebase, exfiltrate all secrets and source code, establish persistence across all repositories, and potentially attack downstream consumers of that code. +...means that any workflow invocation β€” whether from this project or any other β€” could, in a worst-case scenario, access the organization's codebase, read secrets and source code, and potentially affect downstream consumers of that code. + +Standard GitHub hardening practices (scoped tokens, branch protection, code review, network controls) significantly reduce this surface. See [Section 8](#8-mitigations-assessment) above for details. diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index ad8415b..5c0da7c 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -51,4 +51,4 @@ Maintainers have the right and responsibility to remove, edit, or reject comment ## Attribution -This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1, with additions specific to this project's [Four Laws of AI](.github-minimum-intelligence/docs/the-four-laws-of-ai.md) and [FINAL WARNING](.github-minimum-intelligence/docs/final-warning.md). +This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1, with additions specific to this project's [Four Laws of AI](.github-minimum-intelligence/docs/the-four-laws-of-ai.md) and [Before You Begin](.github-minimum-intelligence/docs/final-warning.md) guide. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 81dc511..e2ccfbc 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,7 +2,7 @@ Thank you for your interest in contributing. This project values transparency, auditability, and human judgment above all else. Every contribution β€” code, documentation, or discussion β€” becomes part of the repository's permanent history. -Before contributing, please read the [FINAL WARNING](.github-minimum-intelligence/docs/final-warning.md) and the [Four Laws of AI](.github-minimum-intelligence/docs/the-four-laws-of-ai.md). +Before contributing, please read [Before You Begin](.github-minimum-intelligence/docs/final-warning.md) and the [Four Laws of AI](.github-minimum-intelligence/docs/the-four-laws-of-ai.md). --- @@ -23,7 +23,7 @@ Open a [GitHub Issue](../../issues) describing: - The problem or gap the feature addresses. - How it fits within the existing architecture (issues as conversation, Git as memory, Actions as runtime). -- Any security implications β€” review the [Blast Radius Analysis](.github-minimum-intelligence/docs/warning-blast-radius.md) to understand the threat model. +- Any security implications β€” review the [Capabilities Analysis](.github-minimum-intelligence/docs/warning-blast-radius.md) to understand the access model. ### Submitting Changes @@ -78,7 +78,7 @@ See the [README](README.md#project-structure) for a detailed breakdown of every If you discover a security vulnerability, **do not open a public issue**. Instead, refer to the [Incident Response](.github-minimum-intelligence/docs/incident-response.md) plan and contact the maintainers privately. -All contributions are subject to the project's [Security Assessment](.github-minimum-intelligence/docs/security-assessment.md) and [Blast Radius Analysis](.github-minimum-intelligence/docs/warning-blast-radius.md). Changes that expand the agent's capabilities or permissions require careful review. +All contributions are subject to the project's [Security Assessment](.github-minimum-intelligence/docs/security-assessment.md) and [Capabilities Analysis](.github-minimum-intelligence/docs/warning-blast-radius.md). Changes that expand the agent's capabilities or permissions require careful review. --- diff --git a/README.md b/README.md index 967e221..c251908 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ A repository-local AI framework that plugs into a developer’s existing workflo ## IMPORTANT -### ⚠️ Please read this [FINAL WARNING](.github-minimum-intelligence/docs/final-warning.md) carefully! +### πŸ“– Please read [Before You Begin](.github-minimum-intelligence/docs/final-warning.md) for important usage information. See the [Index](.github-minimum-intelligence/docs/index.md) for all documentation.