Skip to content

Security: tt-a1i/hive

Security

SECURITY.md

Security Policy

Hive is a local development tool for coordinating CLI agents. It is not a hosted service and does not provide a multi-user security boundary.

Supported Versions

Version Supported
Latest npm release Security fixes accepted during public preview.
2.x Best-effort fixes while the public preview is active.
Earlier versions Not supported.

Reporting a Vulnerability

Use GitHub private vulnerability reporting for tt-a1i/hive whenever it is available. Do not paste exploit details, tokens, terminal logs, private workspace paths, or reproduction scripts into a public issue.

If private reporting is temporarily unavailable, open a minimal public issue with the title Security contact request and no technical details; a maintainer will provide a private contact path before triage continues.

Expected response during public preview:

  • Initial maintainer response: best effort within 7 days.
  • Public disclosure or changelog entry: after a fix is available, or earlier when the issue does not expose users to practical exploitation.

Please include:

  • Hive version or commit SHA.
  • Operating system and Node.js version.
  • Whether the issue affects the local runtime, packaged install, web UI, PTY process handling, or the injected team command.
  • A minimal reproduction when it is safe to share.

Local Runtime Safety

  • Hive binds to 127.0.0.1 by default. Do not expose the runtime port directly to the internet or to an untrusted network.
  • Built-in presets may pass each CLI's non-interactive or bypass flag so worker agents can continue without manual permission prompts.
  • Treat workers as able to run arbitrary shell commands with the permissions of the user account that launched Hive.
  • Only open trusted workspaces. Hive intentionally gives agents access to the selected workspace so they can edit files and run project commands.
  • Agent tokens are generated by the local runtime, injected into agent process environments, and intended only for local agent-to-runtime calls.
  • The browser UI token is a same-machine session guard. It is not designed to protect Hive from other processes already running as the same OS user.
  • Do not paste Hive agent tokens, terminal output, or workspace logs into public reports if they include private repository or machine details.

Remote Access Safety

Remote access is optional and off by default. When enabled, a paired phone is a trusted device with the same authority as the local browser.

  • Pair only devices you control and revoke them when they are no longer needed.
  • Pairing must be confirmed at the desktop; do not approve a code you did not initiate.
  • Remote access does not move your workspace or agent execution to the gateway. The gateway relays authenticated traffic; your Hive runtime and CLI agents still run on your machine.
  • If you suspect a device, browser profile, or gateway account is compromised, disable Remote access, revoke paired devices, and restart Hive.

Out of Scope for Public Preview

  • Running Hive as a shared server for multiple users.
  • Exposing the local Hive port through a public tunnel or reverse proxy.
  • Operating Hive as a hardened production service.
  • Sandboxing third-party CLI agents beyond the controls provided by those CLIs.

There aren't any published security advisories