Cross-cutting Concepts

Threat Model (STRIDE)

Warning

No STRIDE threat model exists in the code base. The threats below are candidate threats, derived in Phase 2 from the code-visible risk surfaces (see [section-technical-risks]). The completeness of this catalogue and the validation of each threat are deferred to the Architect and Operations — see ADR review and OPEN_QUESTIONS.adoc.

T-ID STRIDE Candidate Threat Risk

T-ID	STRIDE	Candidate Threat	Risk
T-001	Tampering, Elevation	The LLM emits a destructive shell command and `bash` runs it [vibe/core/tools/builtins/bash.py:480-530].	R-001
T-002	Information Disclosure	A file tool reads a secret file such as `.env` [vibe/core/tools/builtins/read_file.py:60-66].	R-002
T-003	Tampering	A file write or patch lands outside the working directory [vibe/core/tools/utils.py:64-125].	R-003
T-004	Information Disclosure	`webfetch` is pointed at an internal/loopback URL (SSRF) [vibe/core/tools/builtins/webfetch.py:62-119].	R-002
T-005	Elevation of Privilege	An untrusted project’s `.vibe/` config (tools, hooks, agents) executes on first entry [vibe/core/trusted_folders.py:19-32].	R-004
T-006	Spoofing, Information Disclosure	The Mistral API key leaks from disk [vibe/setup/auth/api_key_persistence.py:14-16].	R-005
T-007	Tampering	A malicious hook command runs as a shell subprocess [vibe/core/hooks/executor.py:11-55].	R-006

T-001

Tampering, Elevation

The LLM emits a destructive shell command and bash runs it [vibe/core/tools/builtins/bash.py:480-530].

R-001

T-002

Information Disclosure

A file tool reads a secret file such as .env [vibe/core/tools/builtins/read_file.py:60-66].

R-002

T-003

Tampering

A file write or patch lands outside the working directory [vibe/core/tools/utils.py:64-125].

R-003

T-004

Information Disclosure

webfetch is pointed at an internal/loopback URL (SSRF) [vibe/core/tools/builtins/webfetch.py:62-119].

R-002

T-005

Elevation of Privilege

An untrusted project’s .vibe/ config (tools, hooks, agents) executes on first entry [vibe/core/trusted_folders.py:19-32].

R-004

T-006

Spoofing, Information Disclosure

The Mistral API key leaks from disk [vibe/setup/auth/api_key_persistence.py:14-16].

R-005

T-007

Tampering

A malicious hook command runs as a shell subprocess [vibe/core/hooks/executor.py:11-55].

R-006

Security

Every mitigation references the T-IDs it closes.

Mechanism Description Closes

Mechanism	Description	Closes
Tiered tool permissions	Each tool resolves to `ALWAYS` / `ASK` / `NEVER`; `ASK` prompts the user before executing [vibe/core/tools/base.py:83-113].	T-001, T-004
Command allow/deny lists + arity	`bash` matches command prefixes against allow/deny lists; `sudo` always asks [vibe/core/tools/builtins/bash.py:228-243, vibe/core/tools/arity.py:145-158].	T-001
Sensitive-pattern gating	File and search tools treat `*/.env` as sensitive and force an approval prompt [vibe/core/tools/builtins/read_file.py:60-63].	T-002
Working-directory boundary	File tools require paths inside the working directory (or an `--add-dir` root); otherwise an extra approval is required [vibe/core/tools/utils.py:64-125].	T-003
Trust-folder gate	A folder containing `.vibe/`/AGENTS.md triggers a trust prompt; untrusted folders do not load project config [vibe/core/trusted_folders.py:75-122].	T-005
Secret storage	API keys are stored in `~/.vibe/.env` or the OS keyring; encrypted payloads use RSA-OAEP-SHA256 + AES-256-GCM; browser sign-in uses PKCE [vibe/core/auth/crypto.py:13-137, vibe/setup/auth/browser_sign_in.py:173-184].	T-006
Read-only agent profiles	The `plan` and `chat` profiles are read-only, enforced by `ReadOnlyAgentMiddleware` [vibe/core/middleware.py:174-216] — see ADR-003.	T-001, T-003
Experimental-hooks gate	Hooks are disabled unless `enable_experimental_hooks` is set, so a project’s hook commands do not run as shell subprocesses by default [vibe/core/config/_settings.py:534, vibe/core/hooks/config.py:78].	T-007

Tiered tool permissions

Each tool resolves to ALWAYS / ASK / NEVER; ASK prompts the user before executing [vibe/core/tools/base.py:83-113].

T-001, T-004

Command allow/deny lists + arity

bash matches command prefixes against allow/deny lists; sudo always asks [vibe/core/tools/builtins/bash.py:228-243, vibe/core/tools/arity.py:145-158].

T-001

Sensitive-pattern gating

File and search tools treat */.env as sensitive and force an approval prompt [vibe/core/tools/builtins/read_file.py:60-63].

T-002

Working-directory boundary

File tools require paths inside the working directory (or an --add-dir root); otherwise an extra approval is required [vibe/core/tools/utils.py:64-125].

T-003

Trust-folder gate

A folder containing .vibe//AGENTS.md triggers a trust prompt; untrusted folders do not load project config [vibe/core/trusted_folders.py:75-122].

T-005

Secret storage

API keys are stored in ~/.vibe/.env or the OS keyring; encrypted payloads use RSA-OAEP-SHA256 + AES-256-GCM; browser sign-in uses PKCE [vibe/core/auth/crypto.py:13-137, vibe/setup/auth/browser_sign_in.py:173-184].

T-006

Read-only agent profiles

The plan and chat profiles are read-only, enforced by ReadOnlyAgentMiddleware [vibe/core/middleware.py:174-216] — see ADR-003.

T-001, T-003

Experimental-hooks gate

Hooks are disabled unless enable_experimental_hooks is set, so a project’s hook commands do not run as shell subprocesses by default [vibe/core/config/_settings.py:534, vibe/core/hooks/config.py:78].

T-007

Test

The test concept is a pytest suite (pytest + pytest-asyncio
respx + pytest-textual-snapshot) with test doubles named Fake* in tests/stubs/ [AGENTS.md:84-92]. CI runs the suite plus strict pyright and ruff [.github/workflows/ci.yml].

Warning

Tests are not traced to use cases or business rules, and the pyramid shape (unit / integration / end-to-end proportions) is not declared. Establishing per-use-case traceability — each test naming the ../use-cases-vibe.adoc use case it covers — is deferred to the Developer.

Observability

Tracing. OpenTelemetry spans wrap the agent invocation and each tool execution, with the conversation id propagated as OTEL baggage; the OTLP exporter is enabled only when telemetry and OTEL config are present [vibe/core/tracing.py:23-137].
Logging. Structured stdlib logging writes to ~/.vibe/logs/vibe.log; level and rotation size are env-configurable [AGENTS.md:68-69].
Usage telemetry. Usage events go to the Mistral datalake, gated by enable_telemetry and the presence of an API key [vibe/core/telemetry/send.py:58-95].
ACP message log. When VIBE_ACP_LOGGING_ENABLED is set, every ACP protocol message is recorded [vibe/acp/acp_logger.py:17-59].

Error Handling

Retry and backoff. The Mistral backend retries transient failures — 500 ms initial delay, 1.5x exponent, 300 s cap [vibe/core/llm/backend/mistral.py:212-222].
Distinct LLM failures. Rate-limit and context-too-long errors are caught and surfaced distinctly rather than as generic failures [vibe/core/agent_loop.py:1365-1374].
Hook retry limit. Hooks retry at most three times before being reported as failed [vibe/core/hooks/manager.py:28-53].
Fail-open experiments. The GrowthBook client returns defaults on any error so a flag-service outage never blocks a session [vibe/core/experiments/client.py:43-76].
Cancellation. asyncio.CancelledError is handled explicitly so user interruption ends a turn cleanly [vibe/core/agent_loop.py:1170-1178].
Exception discipline. Module-local exception hierarchies are chained with raise … from e [AGENTS.md:71].

Configuration

Configuration is layered and merge-aware: project .vibe/config.toml directories are walked breadth-first (up to four levels) and then the user ~/.vibe/config.toml layer is applied; layers merge field-by-field with declared strategies (replace, concat, union, shallow, conflict) [vibe/core/config/builder.py:24-122, vibe/core/paths/_local_config_walk.py:132-168]. VIBE_HOME relocates the entire user state directory [vibe/core/paths/_vibe_home.py:19-25]. This concept is listed because the system genuinely has a configuration concern that crosses every building block.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.