# Amicus Security and Sandboxing Design
## 1. Filesystem Sandboxing
### Objective
Ensure that any file operations initiated through Amicus MCP tools are confined to the project root and do not access sensitive system files.
### Mechanism
* **Root Enforcement:** All file paths must be relative to the `CONTEXT_BUS_DIR` or the project root.
* **Path Validation:** Implement a `is_safe_path()` function that:
* Resolves paths to absolute paths.
* Checks if the resolved path starts with the allowed root directory.
* Rejects any paths containing `..` or leading `/` (outside root).
## 2. Command Execution Whitelisting
### Objective
Prevent execution of dangerous or unapproved shell commands by AI agents.
### Mechanism
* **Configuration:** A `whitelist.json` file (or a section in `config.json`) containing allowed command patterns (regex).
* **Tool:** `execute_safe_command(command, args)`
* Checks the command against the whitelist.
* If allowed, executes and returns output.
* If blocked, logs the attempt and returns an error.
* **Alternative:** `validate_intent(command)`
* A tool that returns a boolean and a reason. Useful for agents using their own native command execution tools.
## 3. Sandboxing Guardrails through MCP
* **Middleware Approach:** If possible, intercept other tool calls (though MCP doesn't natively support this yet across different servers).
* **State-Based Enforcement:** The Context Bus can track "dangerous" actions reported in agent summaries and alert human users (if `ask_user=True` is triggered automatically by the server).
## 4. Implementation Plan
1. **Refactor `server.py`** to include a `Config` class and path validation logic.
2. **Add `safe_write` and `safe_read` tools** to Amicus (separate from state management, specifically for project files).
3. **Implement `validate_command` tool.**
4. **Add `messages` stream to `state.json`** for inter-agent "chat" or "signals".
