Skip to main content

Security Overview

OpenFang implements defense-in-depth with 16 discrete security systems that operate independently. Every layer is testable and operates without a single point of failure.

The 16 Security Systems

OpenFang doesn’t bolt security on after the fact. Security is architected into every subsystem from the ground up.
Tool code runs in WebAssembly with both fuel metering (instruction count limits) and epoch interruption (wall-clock timeout via watchdog thread). This prevents both CPU-bound and time-bound runaway modules.
  • Wasmtime engine with dual metering
  • Watchdog thread kills runaway code
  • Host function capability enforcement
  • Memory limits enforced at WASM instantiation
Location: openfang-runtime/src/wasm_sandbox.rs
Every agent action is cryptographically linked to the previous one in a tamper-evident chain. Modify one entry and the entire chain breaks.
  • SHA-256 hash chaining
  • Immutable append-only log
  • /api/audit/verify endpoint for chain integrity checks
  • Compliance-ready audit exports
Location: openfang-runtime/src/audit.rs
Taint labels propagate through execution, tracking secrets from source to sink. Prevents untrusted data from entering privileged operations.
  • TaintLabel and TaintSet types
  • Propagation through operations
  • Enforcement at privilege boundaries
  • Information flow analysis
Location: openfang-types/src/taint.rs
Every agent identity and capability set is cryptographically signed using Ed25519 digital signatures.
  • Agent manifest integrity verification
  • Public key distribution
  • Signature validation at spawn time
  • Identity authentication
Location: openfang-types/src/manifest_signing.rs
Blocks requests to private IPs, cloud metadata endpoints (169.254.169.254), and DNS rebinding attacks.
  • Private IP range blocking (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
  • Cloud metadata endpoint filtering
  • DNS resolution verification
  • Applied in host_net_fetch and web_fetch.rs
Functions: is_ssrf_target(), is_private_ip()
All API key fields use Zeroizing<String> from the zeroize crate. Keys are automatically wiped from memory when dropped.
  • Zeroizing<String> on all LLM driver API keys
  • Automatic memory wipe on drop
  • Debug impls redact secrets
  • Prevents secret leakage in core dumps
Dependencies: zeroize crate
The OpenFang Protocol (OFP) uses HMAC-SHA256 with nonce-based replay protection and constant-time verification.
  • HMAC-SHA256 signing: hmac_sign(secret, nonce + node_id)
  • Nonce prevents replay attacks
  • Constant-time verification via subtle crate (prevents timing attacks)
  • Mutual authentication on both handshake sides
Location: openfang-wire/src/auth.rs
Role-based access control where agents declare required tools and the kernel enforces permissions at runtime.
  • Capability inheritance validation (prevents privilege escalation)
  • Grant/revoke flow tracked in CapabilityManager
  • Enforcement at every tool invocation
  • Manifest declaration required
See: Capabilities documentation
All API responses include comprehensive security headers:
  • CSP (Content Security Policy)
  • X-Frame-Options (clickjacking protection)
  • X-Content-Type-Options (MIME sniffing prevention)
  • X-XSS-Protection
  • HSTS (HTTP Strict Transport Security)
  • Referrer-Policy
  • Permissions-Policy
Location: openfang-api/src/middleware.rs
Public health endpoint returns minimal status. Detailed diagnostics require authentication.
  • /api/health — Public, minimal info
  • /api/health/detail — Requires Bearer token, shows database stats, agent counts, subsystem status
Location: openfang-api/src/routes/health.rs
Python/Node.js skill runtimes execute in isolated subprocesses with environment clearing and selective variable injection.
  • cmd.env_clear() on all subprocess invocations
  • Selective environment variable passthrough
  • Restricted PATH
  • Cross-platform process tree isolation
Location: openfang-runtime/src/subprocess_sandbox.rs
Scans skill content for malicious patterns before activation.
  • Override attempt detection (“Ignore previous instructions”)
  • Data exfiltration pattern matching
  • Shell reference injection detection
  • Applied to all bundled and installed skills
Function: scan_prompt_content() in openfang-skills
SHA256-based tool call loop detection with circuit breaker.
  • Warn threshold (default 3): Logs warning, injects hint to LLM
  • Block threshold (default 5): Refuses tool call
  • Circuit breaker (default 30): Terminates agent loop
  • Handles ping-pong patterns between tools
Location: openfang-runtime/src/loop_guard.rs
7-phase message history validation and automatic recovery from corruption.
  • Drops orphaned ToolResult messages
  • Removes empty messages
  • Merges consecutive same-role messages
  • Runs before every agent loop iteration
Function: validate_and_repair() in openfang-runtime
Canonicalization with symlink escape prevention. ../ attacks are blocked.
  • safe_resolve_path() in WASM host functions
  • safe_resolve_parent() for parent directory access
  • validate_path() in tool runner
  • Capability check runs BEFORE path resolution
Location: openfang-runtime/src/tool_runner.rs, WASM host functions
Generic Cell Rate Algorithm with cost-aware token buckets and per-IP tracking.
  • Per-IP token bucket tracking
  • Cost-aware rate calculation
  • Stale entry cleanup
  • Configurable burst and sustained rates
Location: openfang-api/src/middleware/rate_limiter.rs

Defense-in-Depth Architecture

OpenFang’s security model assumes multiple layers will fail. No single system is a point of failure. 
┌─────────────────────────────────────────────────┐
│  Network Layer (TLS, Rate Limiting, Headers)   │
├─────────────────────────────────────────────────┤
│  Authentication (Bearer Token, HMAC-SHA256)     │
├─────────────────────────────────────────────────┤
│  Authorization (Capabilities, RBAC)             │
├─────────────────────────────────────────────────┤
│  Input Validation (Path, SSRF, Injection)       │
├─────────────────────────────────────────────────┤
│  Runtime Isolation (WASM, Subprocess Sandbox)   │
├─────────────────────────────────────────────────┤
│  Audit & Monitoring (Merkle Chain, Taint)       │
└─────────────────────────────────────────────────┘
Each layer is independently testable and operates even if other layers are compromised.

Security vs. Other Frameworks

Benchmark: Security System Count

OpenFang   ████████████████████████████████████████████   16      ★
ZeroClaw   ███████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░    6
OpenClaw   ████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    3
AutoGen    █████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    2
LangGraph  █████░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    2
CrewAI     ███░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░    1
Data from official documentation and public repositories — February 2026.

Security Best Practices

1. Least Privilege by Default

Agents spawn with minimal capabilities. Grant only what’s required. 
[capabilities]
tools = ["file_read", "file_list"]  # NOT "*"
memory_read = ["self.*"]            # NOT "*"
network = ["api.anthropic.com"]     # NOT "*"
shell = []                           # Empty by default
agent_spawn = false                  # Disabled by default

2. Validate Capability Inheritance

Child agents cannot exceed parent capabilities. This is enforced at spawn time. 
// Automatically validated — no action required
validate_capability_inheritance(
    &parent_capabilities,
    &child_capabilities
)?;

3. Monitor Audit Trail

Regularly verify hash-chain integrity: 
curl http://localhost:4200/api/audit/verify

4. Use HTTPS in Production

Configure TLS certificates in config.toml: 
[server]
host = "0.0.0.0"
port = 4200
tls_cert_path = "/path/to/cert.pem"
tls_key_path = "/path/to/key.pem"

5. Rotate Secrets Regularly

API keys should be rotated every 90 days. OpenFang automatically zeroizes old keys on rotation. 
# Update environment variable
export ANTHROPIC_API_KEY="new_key_here"

# Restart daemon
openfang restart

6. Enable Audit Logging

All agent actions are logged to the Merkle audit trail by default. Export for compliance: 
curl http://localhost:4200/api/audit/export > audit_trail.json

Threat Models

OpenFang defends against the following threat scenarios:

1. Malicious Agent Code

Threat: A skill or WASM module attempts to escape its sandbox. Defense:
  • WASM dual metering (fuel + epoch)
  • Capability enforcement at host function level
  • Path traversal prevention
  • SSRF protection

2. Privilege Escalation

Threat: A child agent requests more capabilities than its parent. Defense:
  • Capability inheritance validation at spawn time
  • Manifest signing with Ed25519
  • Audit trail of all capability grants

3. Supply Chain Attack

Threat: A malicious skill is installed from an external marketplace. Defense:
  • SHA256 verification of skill content
  • Prompt injection scanner on all skills
  • Skill content wrapped with trust boundary markers
  • Subprocess environment isolation

4. SSRF / Cloud Metadata Theft

Threat: Agent attempts to fetch cloud credentials from 169.254.169.254. Defense:
  • Private IP blocking in is_ssrf_target()
  • DNS resolution verification
  • Cloud metadata endpoint filtering

5. Runaway Agent Loop

Threat: Agent enters infinite loop calling the same tool repeatedly. Defense:
  • Loop Guard with SHA256 tracking
  • Circuit breaker at 30 repetitions
  • Tool timeout (60 seconds)
  • Max continuations (3)

6. Audit Log Tampering

Threat: Attacker modifies audit logs to hide malicious activity. Defense:
  • Merkle hash-chain structure
  • Each entry includes hash of previous entry
  • Integrity verification endpoint
  • Tamper detection breaks the chain

Security Dependencies

Security-critical dependencies are pinned and regularly audited:
DependencyPurposeVersion
ed25519-dalekManifest signingPinned
sha2Hash chain, checksumsPinned
hmacWire protocol authPinned
subtleConstant-time comparisonPinned
zeroizeSecret memory wipingPinned
randCryptographic randomnessPinned
governorRate limitingPinned
All security dependencies are tracked in the workspace Cargo.lock and audited via cargo audit.

Reporting Security Vulnerabilities

If you discover a security vulnerability in OpenFang, please report it responsibly. Do NOT open a public GitHub issue for security vulnerabilities.

How to Report

  1. Email: [email protected]
  2. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Affected versions
    • Potential impact assessment
    • Suggested fix (if any)

What to Expect

  • Acknowledgment within 48 hours
  • Initial assessment within 7 days
  • Fix timeline communicated within 14 days
  • Credit given in the advisory (unless you prefer anonymity)

Scope

The following are in scope for security reports:
  • Authentication/authorization bypass
  • Remote code execution
  • Path traversal / directory traversal
  • Server-Side Request Forgery (SSRF)
  • Privilege escalation between agents or users
  • Information disclosure (API keys, secrets, internal state)
  • Denial of service via resource exhaustion
  • Supply chain attacks via skill ecosystem
  • WASM sandbox escapes

Next Steps

Capabilities

Learn how capability-based permissions work

Sandbox

Deep dive into WASM and subprocess isolation

Audit Trail

Understand the Merkle hash-chain audit system

Architecture

See how security integrates across all subsystems

Build docs developers (and LLMs) love

Get started for freeTalk to us