Overview
Fifteen questions about rousseau's security posture, supply chain, trust boundaries, and disclosure process.
Questions
1. Does rousseau run arbitrary shell commands?
Yes — via the built-in bash tool. Approval policies (agent.approver.mode: pattern) with a default: deny fallback are the primary defence. See Best Practices: Approval rules.
2. Is there a sandbox for the bash tool?
Not inside rousseau — the OS is the sandbox. The reference Podman quadlet drops all capabilities, sets NoNewPrivileges=true, applies seccomp, and runs as UID 1000. That's the security perimeter.
3. How are releases signed?
cosign (keyless, GitHub Actions OIDC) signs the checksums file. Verify with the incantation in the Quickstart.
4. What's the SLSA level?
SLSA Level 3 via slsa-framework/slsa-github-generator. Every tagged release ships an intoto.jsonl provenance attestation.
5. Is there an SBOM?
Yes — CycloneDX 1.5, published per release as rousseau_<v>_sbom.cdx.json.
6. Are dependencies pinned?
Yes. go.mod uses exact versions; go.sum is frozen. govulncheck runs on every CI build and blocks known-vulnerable transitives.
7. Where do you store my API keys?
Nowhere by default. If you put them in config.yaml, they live wherever you save that file. Prefer env vars. See Best Practices: Secret management.
8. Is the session store encrypted at rest?
No. SQLite files are not encrypted. If your host has full-disk encryption, that's your protection. Otherwise, restrict state.path to a mount with the encryption you need.
9. Does rousseau send my code to Anthropic / OpenAI / …?
Only the parts you or the agent choose to send in tool inputs or system-prompt context. Rousseau doesn't ship your entire workspace by default.
10. Does rousseau have a phone-home feature?
No. There is no telemetry, no crash reporter, no analytics.
11. What about the claude CLI subprocess?
The claude CLI has its own trust boundary — see Anthropic's docs. When you use provider: claudecli, rousseau shells out to claude and inherits its behaviour.
12. How do I audit what tools were called?
Every tool invocation logs a structured event. Look for agent.tool.called and agent.tool.result in the logs.
13. What's the fuzz coverage?
Every parser (whatsapp binary XML, signal JSON-RPC, MCP JSON-RPC, config YAML, cron expressions, tool schemas) has a Fuzz function. make fuzz runs the full battery.
14. Do you have a security policy?
Yes, SECURITY.md in the source tree and mirrored at Security.
15. What's the vulnerability disclosure timeline?
Acknowledgement within 72h. Reasonable time for a fix (aim: 30 days for high, 90 days for medium). Public disclosure after a fix is released.