Skip to content
Honeybee AI

Security Overview

Security is not a feature of Honeybee — it’s a property of every commit. The platform has undergone 6 rounds of security audits across all 7 repositories, with 90+ findings identified and fixed before any public release.

Philosophy

Section titled “Philosophy”
  1. Defense in depth: Every layer scans, validates, and constrains independently
  2. Fail closed: When in doubt, block. Carapace blocks on scan failure, not passes
  3. Zero trust agents: Agent IDs are server-generated, never client-supplied
  4. Opt-in telemetry: Only structural metadata (counts, scores, latency) — never content
  5. Zero dependencies where it matters: Carapace scanner has zero npm dependencies — no supply chain attack surface

Audit history

Section titled “Audit history”
RoundScopeFindingsStatus
Round 1Hivemind (6 packages)13All fixed
Round 2Hivemind (6 packages)16All fixed
Round 3Hivemind (6 packages)16All fixed
Round 4Hivemind (6 packages)13All fixed
Round 6All 7 repos (full sweep)48All fixed
Anti-spoofingIncubator3 layersVerified

Total: 90+ findings identified and fixed, 1,165+ tests passing.

What was audited

Section titled “What was audited”
  • Input validation and sanitization
  • Authentication and token handling
  • Injection vectors (command, SQL, XSS, prompt)
  • Secrets exposure (env vars, logs, error messages)
  • OWASP Top 10 where applicable
  • Cloudflare Worker-specific: binding security, Durable Object access control
  • Carapace-specific: detection bypass, evasion patterns
  • ReDoS (regular expression denial of service)
  • SSRF (server-side request forgery)
  • Race conditions and atomicity

Finding severity breakdown

Section titled “Finding severity breakdown”

High (10 in Round 6 alone)

Section titled “High (10 in Round 6 alone)”
  • Command injection via shell concatenation (fixed: execFileSync with array args)
  • Unauthenticated WebSocket connections (fixed: shared-secret token auth)
  • Shell injection via message content (fixed: per-platform escaping)
  • eval() of user commands (fixed: bash -c with escaping)
  • No input length limits (fixed: 100KB for scan, 1MB for API, 10MB for proxy)
  • SSRF via gateway (fixed: private IP/loopback blocking)
  • Command injection via domain names (fixed: domain validation regex)
  • KV cache with no TTL (fixed: 1-hour expiration)
  • Missing MFA re-verification (fixed: require TOTP code)
  • Null user_id bypass (fixed: explicit null guard)

Medium (20 in Round 6)

Section titled “Medium (20 in Round 6)”
  • Header injection (CRLF), namespace path traversal, unbounded responses
  • YAML prototype pollution, ReDoS in glob matching, wildcard CORS
  • Unbounded request bodies, guard bypass on messages
  • Redis claim TOCTOU (fixed: Lua script atomic CAS)
  • Protocol spec injection, streaming scanner chunk bypass
  • Token refresh race condition (fixed: promise-based mutex)
  • CSV injection in audit exports

Low (18 in Round 6)

Section titled “Low (18 in Round 6)”
  • File permissions, token visibility, PATH injection
  • Namespace validation, snapshot permissions, event caps
  • Session ID validation, GraphiQL disabled, cache prefix isolation
  • Generic error messages (no info leakage)

Security checklist

Section titled “Security checklist”

Every code change is mentally reviewed against this checklist:

  1. Every external input validated with explicit type + range checks
  2. Every SQL query uses parameterized placeholders
  3. Every shell invocation uses execFile/spawn with array args
  4. Every error response returns a generic message
  5. Every console.error logs err.message only
  6. Every secret comparison uses timingSafeEqual
  7. Every pagination has bounded limit/offset
  8. Every file operation validates paths against traversal (../)
  9. Every regex from user input is rejected or escaped
  10. Every JSON.parse is wrapped in try/catch
  11. Every identity (agent ID, session ID) is server-generated
  12. Every WebSocket requires authentication

Anti-spoofing (latest)

Section titled “Anti-spoofing (latest)”

The incubator implements 3-layer anti-spoofing:

  1. WebSocket pinning: Connection-level agent ID takes precedence over per-message IDs
  2. Session tokens: 48-character hex tokens mapped to agents via SessionStore
  3. Token passing: Orchestrator registers agents and passes ACP_SESSION_TOKEN to subprocesses

This prevents any client from impersonating another agent — a critical requirement for multi-agent coordination where agents may have different trust levels.

Section titled “Related”