agent-lab treats agent workloads as hostile or compromised. A broken experiment is acceptable; a silent boundary bypass is not.
Never commit real secrets. This includes API keys, tokens, private keys, SSH keys, browser profiles, cloud credentials, password-manager data, .env, .env.local, secrets/, runtime state, model caches, and generated logs.
Only .env.example belongs in source, and it must contain non-secret placeholders or safe defaults. Future real credentials should be files under secrets/, mounted read-only per service. Do not place real secrets in environment variables; env leaks through Docker inspection and process metadata.
Stop work and report before continuing if tracked source contains or introduces:
- Real secret, token, API key, private key, browser profile, SSH key, or cloud credential.
.env,.env.local, private env files,secrets/, runtime state, browser profiles, model caches, or key material.- Docker socket mounts.
- Host home-directory mounts.
network_mode: host.- Privileged containers.
- Public port bindings by default.
- Agent/test containers attached directly to the internet-capable
egressnetwork. - Agent containers with both broad credentials and open internet.
- Direct internet paths from agents that bypass the proxy.
- Security claims that are not implemented and tested.
Agent and test containers must attach only to the internal agents network. Only egress-proxy may attach to both agents and egress.
No service publishes public ports in v0. Future operator-facing ports must bind to 127.0.0.1 unless explicitly approved.
The Docker socket must never be mounted into an agent container. Host home directories, SSH directories, cloud-drive roots, browser profiles, and password-manager data must never be mounted into agent containers.
Domain allowlisting controls where traffic can go. It does not control what an agent sends to an allowed destination. If example.com is allowlisted, a compromised agent can send data to example.com.
This is a private lab. Report suspected boundary bypasses, secret exposure, or dangerous defaults to the repository owner through the private project channel used for this repository.