Buckler protects against unintended agentic shell actions. Its threat model covers:
| Threat | Mitigation |
|---|---|
Agent runs destructive gh commands (repo delete, api DELETE, …) |
agent-gh pack denies baseline destructive subcommands |
| Agent force-pushes or deletes remote branches | Deny rules on --force, -f, --delete, --mirror, :branch push |
| Agent removes or rewrites a remote | Deny rules on git remote remove; remote set-url denied in strict tier |
| Agent bypasses the hook (shell escape) | failClosed: true on critical hooks; shell segmentation + expansion in buckler.core closes the agent-class bypasses tracked in Known parser bypasses (status). Not a full POSIX bash parser — see remaining gaps there. |
| Tampered release artifact | Cosign keyless verification in setup.sh before any extraction |
| Malicious user rules | Rules run in the same process as Buckler; no sandbox. User rules are trusted. |
The agent-git pack's shell parser is not a full POSIX bash implementation. The table below tracks residual bypass classes; closed classes remain documented here with a pointer to the remediation spec and tests.
| Bypass class | Status | Remediation / tracking |
|---|---|---|
& (background) — e.g. git status & git commit |
closed | specs/done/parser-bypass-hardening/spec.md; tests/test_agent_git_redteam.py |
Shell pipe between commands (e.g. git status | xargs git commit) |
closed | same (xargs delegation matched heuristically) |
Command substitution $(…) and backticks |
closed | same |
bash -c / sh -c / dash -c string not recursed |
closed | same (depth cap 3; excess → deny) |
Env prefix / env — e.g. FOO=bar git commit, env … git commit |
closed | same |
ANSI-C $'…', here-docs, here-strings |
open | Future work (tracked in specs/done/parser-bypass-hardening/spec.md out-of-scope); file an issue if exploitable in harness |
Remaining posture: expansion or parse failure on nested commands → deny (fail-closed), except RETHUNK_ALLOW_SHELL=1 env-only bypass still applies.
Buckler v1 is a local tool — it does not contact any remote service at runtime. Policy evaluation is offline. The only network access is during setup.sh install/update to download releases from GitHub.
RETHUNK_ALLOW_SHELL=1 bypasses all rules. This is intentional for emergency use. With audit logging enabled, bypasses are recorded to ~/.local/state/buckler/audit.log.
Every release tarball is signed via Sigstore keyless signing in GitHub Actions. The signing identity is the OIDC token of the release workflow.
# Download artifacts
curl -fsSLO https://github.com/Rethunk-AI/buckler/releases/latest/download/buckler-latest.tar.gz
curl -fsSLO https://github.com/Rethunk-AI/buckler/releases/latest/download/buckler-latest.tar.gz.bundle
# Verify (cosign must be installed)
cosign verify-blob buckler-latest.tar.gz \
--bundle buckler-latest.tar.gz.bundle \
--certificate-identity-regexp "https://github.com/Rethunk-AI/buckler/.github/workflows/release.yml" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"A successful verification prints Verified OK. Do not proceed if verification fails.
Please do not open a public GitHub issue for security vulnerabilities.
Report privately via GitHub Security Advisories: https://github.com/Rethunk-AI/buckler/security/advisories/new
Or email the maintainers directly (see the org contact in the GitHub profile).
We aim to respond within 72 hours and publish a fix within 7 days for critical issues.