Security

What aidokit defends against, what it doesn't, and the mitigations the architecture enforces.

What aidokit is and is not

aidokit is a scaffolding CLI that emits files and runs declared shell commands.
aidokit is not an LLM client. Zero API calls. No telemetry. No phone-home. No background activity.

Running aidokit is closer to running cookiecutter or npm init than to running an AI service in the cloud.

Trust boundaries

Concentric rings of trust, from your machine outward. Lower trust → stricter gate before any action.

flowchart LR classDef trusted fill:#f0fdf4,stroke:#15803d,color:#14532d; classDef scoped fill:#eff6ff,stroke:#2563eb,color:#0f172a; classDef gated fill:#fffbeb,stroke:#b45309,color:#78350f; classDef untrusted fill:#fef2f2,stroke:#b91c1c,color:#7f1d1d; M["your machine
(trusted)"]:::trusted PD["project directory
(scoped writes)"]:::scoped HD["$AIDO_HOME
(limited)"]:::scoped FP["first-party
@aidokit/* packages
(verifiable via npm provenance)"]:::scoped CM["catalog MCPs
(per-role scoped)"]:::scoped SM["security-sensitive MCPs
(Filesystem, graphify)"]:::gated TP["third-party adapters /
stack packs"]:::untrusted CU["custom MCP URLs
(--custom-url)"]:::untrusted M --> PD M --> HD M --> FP FP --> CM CM -. forced confirmation .-> SM M -. conformance CI
+ capability decls .-> TP M -. forced confirmation
+ audit log .-> CU

Figure 1. Trust boundaries enforced by the CLI. --yes never bypasses the yellow or red gates.

Boundary	Trust	Primary mitigation
Your machine	trusted	(you already run code there)
Project directory	scoped	adapters write only declared paths
Your home directory	limited	only `$AIDO_HOME` writes; never dotfiles or creds
First-party `@aidokit/*` packages	trusted (verifiable)	npm provenance from v1.0; `npm audit signatures`
Third-party adapters / stack packs	untrusted by default	conformance CI + capability declarations + signing
Catalog MCPs (non-sensitive)	scoped	per-role scoping; `securitySensitive` flag for elevated
Catalog MCPs (sensitive)	gated	non-bypassable confirmation, never `--yes`-bypass
Custom MCPs (`--custom-url`)	explicitly untrusted	forced confirmation; `source: 'custom'` in audit log

Mitigations

Capability declarations

Every adapter manifest declares:

yaml

capabilityDeclarations:
  writesPaths:    ['CLAUDE.md', '.claude/**', '.aido/**']
  runsShellCommands: ['chmod', 'claude mcp add', 'bd init']
  networkCalls:   []

The conformance harness cross-checks declarations against actual source-level imports (child_process) and call sites (fetch(, http(s).request(). A package that writes outside its declared paths is a conformance violation, not a feature.

Signed packages (v1.0+)

shell

npm audit signatures

Every @aidokit/* package publishes with npm provenance attestations. Verify any installed release with the command above.

Dry-run mode

aidokit init --dry-run and aidokit sync --dry-run print the file plan without writing anything and without running postInstall commands.

Staged writes

Files are written to .aido-staging/ first, then atomically moved into place. A failure during staging leaves your project unchanged and preserves the staging dir for inspection.

Audit log

.aido/state.json records every MCP install with userConfirmed and source: 'catalog' | 'custom'. The log is local; aidokit never transmits it.

Security-sensitive flag is non-bypassable

--yes does not skip confirmation for:

MCPs marked securitySensitive: true (Filesystem, graphify, …).
Custom MCPs via --custom-url.
Tracked-file deletions.
Package version bumps.

No auto-install of prerequisites

aidokit detects prereqs and prints the per-OS install command. It never invokes brew, apt, scoop, winget, or curl | bash on your behalf. The escape hatch is --skip-prereq-check.

No telemetry

Zero network calls from aidokit itself. The only network calls during normal use come from npm install and from shell commands declared in adapter manifests (e.g. claude mcp add).

What aidokit does not defend against

An attacker with existing shell access running aidokit as you.
Compromise of your AI coding CLI (Claude Code, Codex, …).
Vulnerabilities in MCP server implementations.
Compromise of npm registry infrastructure (mitigated by provenance verification).
Network MITM attacks (TLS is assumed to work).
OS-level privilege escalation.

Reporting a vulnerability

Send vulnerability reports to george@aicenter.ae. Do NOT open public GitHub issues for unpatched vulnerabilities.

Include:

Affected component (CLI core / specific adapter / stack pack / catalog entry).
Affected versions.
Reproducer (steps, sample project).
What an attacker could accomplish.
Suggested severity.

Coordinated disclosure timeline

Severity	Target patch	Disclosure deadline
High	30 days	60 days after report
Medium	60 days	90 days after report
Low	90 days	120 days after report

What you can expect: initial acknowledgement within 24h, severity assessment within 72h, coordinated disclosure per the table above.

For adapter / stack-pack / MCP authors

Declare every glob in writesPaths you actually write to.
Declare every shell command prefix in runsShellCommands you execute.
Pass the conformance harness in CI on every published version.
Sign packages with npm provenance from v1.0 onward.
Be honest about gaps — document them in manifest.gaps rather than papering over them.