Skip to content

Security: PerryLink/loop-deepseek

Security

SECURITY.md

Security Policy / 安全策略

loop-deepseek -- Self-Built ReAct Agent Loop for DeepSeek API

Copyright 2026 Perry Link Contact: novelnexusai@outlook.com GitHub: https://github.com/PerryLink/loop-deepseek License: Apache 2.0

English

Supported Versions

Version Supported
0.1.x ✅ (current)
< 0.1.0 ❌ (pre-release)

Security patches are provided for the latest minor release only. Users are encouraged to upgrade to the most recent version before reporting vulnerabilities.

Reporting a Vulnerability

Please do NOT file a public GitHub Issue for security vulnerabilities.

Instead, send an encrypted report to:

We aim to acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

What to include in your report:

  1. Affected version(s) and environment (OS, Bun version)
  2. Step-by-step reproduction instructions
  3. Impact assessment (what an attacker could achieve)
  4. Any suggested mitigations or patches (optional)
  5. Whether you plan to publicly disclose (so we can coordinate)

Disclosure timeline:

  • T+0: Report received, acknowledgment sent
  • T+5 days: Initial assessment and severity rating
  • T+30 days: Fix released (critical: T+7 days)
  • T+30 days: Public disclosure coordinated with reporter

Guard Layer Security Model

loop-deepseek implements a Guard Layer -- a pure-function banned_behaviors rule engine compiled into the binary. It is stateless, performs no I/O, and cannot be bypassed by LLM output.

Three severity tiers:

Tier Name Behavior Applies To
L0 CATASTROPHIC Hard-blocked in ALL modes (safe/auto/unsafe) All modes
L1 IRREVERSIBLE Blocked in safe mode; requires confirmation in auto safe, auto
L2 HIGH_IMPACT Blocked in safe mode; auto can proceed after confirmation safe, auto

L0 rules (examples): rm -rf /, fork bombs, mkfs.*, chmod 777 /, DROP DATABASE, curl | sh pipe attacks, git push --force

L1 rules (examples): pip install, npm install -g, git commit, docker rm -f, kubectl delete

L2 rules (examples): npm publish, docker push, terraform apply, aws delete, pm2 delete

Matching engines: exact match, regex (case-insensitive), prefix match.

Protected paths (always blocked for write/edit/bash): loop-deepseek.config.json, .env, .git/**

If you discover a way to bypass the Guard Layer, please report it as a critical vulnerability.

Dependency Security

loop-deepseek is designed with zero framework dependencies. The only dev dependencies are:

  • @types/bun -- Bun type definitions
  • typescript -- TypeScript compiler

No third-party agent frameworks (LangChain, AutoGPT, CrewAI, etc.) are imported at runtime. The compiled binary contains no external npm packages beyond the Bun runtime.

To verify:

bun install --frozen-lockfile
# Check that only @types/bun and typescript are in node_modules

Secure Development Practices

  1. API Key: DEEPSEEK_API_KEY is read from environment only, never written to disk or logs
  2. Guard Layer: Pure functions only -- no dynamic evaluation, no runtime rule injection
  3. Bash Sandbox: Child processes run with timeout + SIGTERM/SIGKILL escalation; output truncated to 50KB
  4. File Operations: All file paths resolved to absolute before operations; Guard Layer validates paths
  5. Token Budget: Hard stop at 98% context usage prevents runaway costs

中文

支持的版本

版本 支持状态
0.1.x ✅(当前版本)
< 0.1.0 ❌(预发布版本)

安全补丁仅针对最新的次版本提供。建议用户在报告漏洞前升级到最新版本。

报告安全漏洞

请勿在公开的 GitHub Issue 中提交安全漏洞报告。

请发送加密报告至:

我们会在 48 小时内 确认收到报告,并在 5 个工作日内 给出初步评估。

报告中应包含:

  1. 受影响的版本及运行环境(操作系统、Bun 版本)
  2. 逐步复现步骤
  3. 影响评估(攻击者可能实现的目标)
  4. 建议的修复或缓解措施(可选)
  5. 是否计划公开披露(以便协调时间)

披露时间线:

  • T+0: 收到报告,发送确认回执
  • T+5 天: 初步评估及严重性评级
  • T+30 天: 修复发布(严重漏洞:T+7 天)
  • T+30 天: 与报告者协调公开披露

Guard Layer 安全模型

loop-deepseek 实现了 Guard Layer(安全层) —— 一个编译进二进制的纯函数 banned_behaviors(禁止行为)规则引擎。它无状态、无 IO,无法被 LLM 输出绕过。

三级严重度:

级别 名称 行为 适用模式
L0 灾难性操作 所有模式硬拦截(safe/auto/unsafe) 全部
L1 不可逆操作 safe 模式拦截;auto 模式需确认 safe、auto
L2 高影响操作 safe 模式拦截;auto 模式确认后可执行 safe、auto

L0 规则(示例): rm -rf /、fork 炸弹、mkfs.*chmod 777 /DROP DATABASEcurl | sh 管道攻击、git push --force

L1 规则(示例): pip installnpm install -ggit commitdocker rm -fkubectl delete

L2 规则(示例): npm publishdocker pushterraform applyaws deletepm2 delete

匹配引擎: 精确匹配、正则匹配(不区分大小写)、前缀匹配。

受保护路径(write/edit/bash 始终拦截):loop-deepseek.config.json.env.git/**

如发现可绕过 Guard Layer 的方法,请按严重漏洞报告。

依赖安全

loop-deepseek 依赖零框架依赖设计。唯一的开发依赖为:

  • @types/bun —— Bun 类型定义
  • typescript —— TypeScript 编译器

运行时未导入任何第三方 agent 框架(LangChain、AutoGPT、CrewAI 等)。编译后的二进制文件不包含除 Bun 运行时外的任何外部 npm 包。

验证方式:

bun install --frozen-lockfile
# 检查 node_modules 中仅包含 @types/bun 和 typescript

安全开发实践

  1. API Key: DEEPSEEK_API_KEY 仅从环境变量读取,绝不写入磁盘或日志
  2. Guard Layer: 仅含纯函数——无动态执行、无运行时规则注入
  3. Bash 沙箱: 子进程超时 + SIGTERM/SIGKILL 级联终止;输出截断至 50KB
  4. 文件操作: 所有文件路径在操作前解析为绝对路径;Guard Layer 校验路径安全性
  5. Token 预算: 上下文使用量达 98% 时硬停止,防止成本失控

There aren't any published security advisories