attack_surface_diagram.mermaid

```mermaid
graph TB
    subgraph External["EXTERNAL ATTACK SURFACE"]
        Telegram["Telegram Gateway"]
        Discord["Discord Gateway"]
        Slack["Slack Gateway"]
        Email["Email Gateway"]
        Matrix["Matrix Gateway"]
        Signal["Signal Gateway"]
        WebUI["Open WebUI"]
        APIServer["API Server (HTTP)"]
    end

    subgraph Gateway["GATEWAY LAYER"]
        PlatformAdapters["Platform Adapters"]
        SessionMgr["Session Manager"]
        Config["Gateway Config"]
    end

    subgraph Core["CORE AGENT"]
        AIAgent["AI Agent"]
        ToolRouter["Tool Router"]
        PromptBuilder["Prompt Builder"]
        ModelClient["Model Client"]
    end

    subgraph Tools["TOOL LAYER"]
        FileTools["File Tools"]
        TerminalTools["Terminal Tools"]
        WebTools["Web Tools"]
        BrowserTools["Browser Tools"]
        DelegateTools["Delegate Tools"]
        CodeExecTools["Code Execution"]
        MCPTools["MCP Tools"]
    end

    subgraph Sandboxes["SANDBOX ENVIRONMENTS"]
        LocalEnv["Local Environment"]
        DockerEnv["Docker Environment"]
        ModalEnv["Modal Cloud"]
        DaytonaEnv["Daytona Environment"]
        SSHEnv["SSH Environment"]
        SingularityEnv["Singularity Environment"]
    end

    subgraph Credentials["CREDENTIAL STORAGE"]
        AuthJSON["auth.json<br/>(OAuth tokens)"]
        DotEnv[".env<br/>(API keys)"]
        MCPTokens["mcp-tokens/<br/>(MCP OAuth)"]
        SkillCreds["Skill Credentials"]
        ConfigYAML["config.yaml<br/>(Configuration)"]
    end

    subgraph DataStores["DATA STORES"]
        ResponseDB["Response Store<br/>(SQLite)"]
        SessionDB["Session DB"]
        Memory["Memory Store"]
        SkillsHub["Skills Hub"]
    end

    subgraph ExternalServices["EXTERNAL SERVICES"]
        LLMProviders["LLM Providers<br/>(OpenAI, Anthropic, etc.)"]
        WebSearch["Web Search APIs<br/>(Firecrawl, Tavily, etc.)"]
        BrowserCloud["Browser Cloud<br/>(Browserbase)"]
        CloudProviders["Cloud Providers<br/>(Modal, Daytona)"]
    end

    %% External to Gateway
    Telegram --> PlatformAdapters
    Discord --> PlatformAdapters
    Slack --> PlatformAdapters
    Email --> PlatformAdapters
    Matrix --> PlatformAdapters
    Signal --> PlatformAdapters
    WebUI --> PlatformAdapters
    APIServer --> PlatformAdapters

    %% Gateway to Core
    PlatformAdapters --> SessionMgr
    SessionMgr --> AIAgent
    Config --> AIAgent

    %% Core to Tools
    AIAgent --> ToolRouter
    ToolRouter --> FileTools
    ToolRouter --> TerminalTools
    ToolRouter --> WebTools
    ToolRouter --> BrowserTools
    ToolRouter --> DelegateTools
    ToolRouter --> CodeExecTools
    ToolRouter --> MCPTools

    %% Tools to Sandboxes
    TerminalTools --> LocalEnv
    TerminalTools --> DockerEnv
    TerminalTools --> ModalEnv
    TerminalTools --> DaytonaEnv
    TerminalTools --> SSHEnv
    TerminalTools --> SingularityEnv
    CodeExecTools --> DockerEnv
    CodeExecTools --> ModalEnv

    %% Credentials access
    AIAgent --> AuthJSON
    AIAgent --> DotEnv
    MCPTools --> MCPTokens
    FileTools --> SkillCreds
    PlatformAdapters --> ConfigYAML

    %% Data stores
    AIAgent --> ResponseDB
    AIAgent --> SessionDB
    AIAgent --> Memory
    AIAgent --> SkillsHub

    %% External services
    ModelClient --> LLMProviders
    WebTools --> WebSearch
    BrowserTools --> BrowserCloud
    ModalEnv --> CloudProviders
    DaytonaEnv --> CloudProviders

    %% Style definitions
    classDef external fill:#ff9999,stroke:#cc0000,stroke-width:2px
    classDef gateway fill:#ffcc99,stroke:#cc6600,stroke-width:2px
    classDef core fill:#ffff99,stroke:#cccc00,stroke-width:2px
    classDef tools fill:#99ff99,stroke:#00cc00,stroke-width:2px
    classDef sandbox fill:#99ccff,stroke:#0066cc,stroke-width:2px
    classDef credentials fill:#ff99ff,stroke:#cc00cc,stroke-width:3px
    classDef datastore fill:#ccccff,stroke:#6666cc,stroke-width:2px
    classDef external_svc fill:#ccffff,stroke:#00cccc,stroke-width:2px

    class Telegram,Discord,Slack,Email,Matrix,Signal,WebUI,APIServer external
    class PlatformAdapters,SessionMgr,Config gateway
    class AIAgent,ToolRouter,PromptBuilder,ModelClient core
    class FileTools,TerminalTools,WebTools,BrowserTools,DelegateTools,CodeExecTools,MCPTools tools
    class LocalEnv,DockerEnv,ModalEnv,DaytonaEnv,SSHEnv,SingularityEnv sandbox
    class AuthJSON,DotEnv,MCPTokens,SkillCreds,ConfigYAML credentials
    class ResponseDB,SessionDB,Memory,SkillsHub datastore
    class LLMProviders,WebSearch,BrowserCloud,CloudProviders external_svc
```

```mermaid
flowchart TB
    subgraph AttackVectors["ATTACK VECTORS"]
        direction TB
        AV1["1. Malicious User Prompts"]
        AV2["2. Compromised Skills"]
        AV3["3. Malicious URLs"]
        AV4["4. File Path Manipulation"]
        AV5["5. Command Injection"]
        AV6["6. Credential Theft"]
        AV7["7. Session Hijacking"]
        AV8["8. Sandbox Escape"]
    end

    subgraph Targets["HIGH-VALUE TARGETS"]
        direction TB
        T1["API Keys & Tokens"]
        T2["User Credentials"]
        T3["Session Data"]
        T4["Host System"]
        T5["Cloud Resources"]
    end

    subgraph Mitigations["SECURITY CONTROLS"]
        direction TB
        M1["Dangerous Command Approval"]
        M2["Skills Guard Scanning"]
        M3["URL Safety Checks"]
        M4["Path Validation"]
        M5["Secret Redaction"]
        M6["Sandbox Isolation"]
        M7["Session Management"]
        M8["Audit Logging"]
    end

    AV1 -->|exploits| T4
    AV1 -->|bypasses| M1
    AV2 -->|targets| T1
    AV2 -->|bypasses| M2
    AV3 -->|targets| T5
    AV3 -->|bypasses| M3
    AV4 -->|targets| T4
    AV4 -->|bypasses| M4
    AV5 -->|targets| T4
    AV5 -->|bypasses| M1
    AV6 -->|targets| T1 & T2
    AV6 -->|bypasses| M5
    AV7 -->|targets| T3
    AV7 -->|bypasses| M7
    AV8 -->|targets| T4 & T5
    AV8 -->|bypasses| M6
```

```mermaid
sequenceDiagram
    participant Attacker
    participant Platform as Messaging Platform
    participant Gateway as Gateway Adapter
    participant Agent as AI Agent
    participant Tools as Tool Layer
    participant Sandbox as Sandbox Environment
    participant Creds as Credential Store

    Note over Attacker,Creds: Attack Scenario: Command Injection
    
    Attacker->>Platform: Send malicious message:<br/>"; rm -rf /; echo pwned"
    Platform->>Gateway: Forward message
    Gateway->>Agent: Process user input
    Agent->>Tools: Execute terminal command
    
    alt Security Controls Active
        Tools->>Tools: detect_dangerous_command()
        Tools-->>Agent: BLOCK: Dangerous pattern detected
        Agent-->>Gateway: Request user approval
        Gateway-->>Platform: "Approve dangerous command?"
        Platform-->>Attacker: Approval prompt
        Attacker-->>Platform: Deny
        Platform-->>Gateway: Command denied
        Gateway-->>Agent: Cancel execution
        Note right of Tools: ATTACK PREVENTED
    else Security Controls Bypassed
        Tools->>Sandbox: Execute command<br/>(bypassing detection)
        Sandbox->>Sandbox: System damage
        Sandbox->>Creds: Attempt credential access
        Note right of Tools: ATTACK SUCCESSFUL
    end
```
security: fix command injection vulnerabilities (CVSS 9.8) Replace shell=True with list-based subprocess execution to prevent command injection via malicious user input. Changes: - tools/transcription_tools.py: Use shlex.split() + shell=False - tools/environments/docker.py: List-based commands with container ID validation Fixes CVE-level vulnerability where malicious file paths or container IDs could inject arbitrary commands. CVSS: 9.8 (Critical) Refs: V-001 in SECURITY_AUDIT_REPORT.md 2026-03-30 23:15:11 +00:00			```mermaid
			`graph TB`
			`subgraph External["EXTERNAL ATTACK SURFACE"]`
			`Telegram["Telegram Gateway"]`
			`Discord["Discord Gateway"]`
			`Slack["Slack Gateway"]`
			`Email["Email Gateway"]`
			`Matrix["Matrix Gateway"]`
			`Signal["Signal Gateway"]`
			`WebUI["Open WebUI"]`
			`APIServer["API Server (HTTP)"]`
			`end`

			`subgraph Gateway["GATEWAY LAYER"]`
			`PlatformAdapters["Platform Adapters"]`
			`SessionMgr["Session Manager"]`
			`Config["Gateway Config"]`
			`end`

			`subgraph Core["CORE AGENT"]`
			`AIAgent["AI Agent"]`
			`ToolRouter["Tool Router"]`
			`PromptBuilder["Prompt Builder"]`
			`ModelClient["Model Client"]`
			`end`

			`subgraph Tools["TOOL LAYER"]`
			`FileTools["File Tools"]`
			`TerminalTools["Terminal Tools"]`
			`WebTools["Web Tools"]`
			`BrowserTools["Browser Tools"]`
			`DelegateTools["Delegate Tools"]`
			`CodeExecTools["Code Execution"]`
			`MCPTools["MCP Tools"]`
			`end`

			`subgraph Sandboxes["SANDBOX ENVIRONMENTS"]`
			`LocalEnv["Local Environment"]`
			`DockerEnv["Docker Environment"]`
			`ModalEnv["Modal Cloud"]`
			`DaytonaEnv["Daytona Environment"]`
			`SSHEnv["SSH Environment"]`
			`SingularityEnv["Singularity Environment"]`
			`end`

			`subgraph Credentials["CREDENTIAL STORAGE"]`
			`AuthJSON["auth.json<br/>(OAuth tokens)"]`
			`DotEnv[".env<br/>(API keys)"]`
			`MCPTokens["mcp-tokens/<br/>(MCP OAuth)"]`
			`SkillCreds["Skill Credentials"]`
			`ConfigYAML["config.yaml<br/>(Configuration)"]`
			`end`

			`subgraph DataStores["DATA STORES"]`
			`ResponseDB["Response Store<br/>(SQLite)"]`
			`SessionDB["Session DB"]`
			`Memory["Memory Store"]`
			`SkillsHub["Skills Hub"]`
			`end`

			`subgraph ExternalServices["EXTERNAL SERVICES"]`
			`LLMProviders["LLM Providers<br/>(OpenAI, Anthropic, etc.)"]`
			`WebSearch["Web Search APIs<br/>(Firecrawl, Tavily, etc.)"]`
			`BrowserCloud["Browser Cloud<br/>(Browserbase)"]`
			`CloudProviders["Cloud Providers<br/>(Modal, Daytona)"]`
			`end`

			`%% External to Gateway`
			`Telegram --> PlatformAdapters`
			`Discord --> PlatformAdapters`
			`Slack --> PlatformAdapters`
			`Email --> PlatformAdapters`
			`Matrix --> PlatformAdapters`
			`Signal --> PlatformAdapters`
			`WebUI --> PlatformAdapters`
			`APIServer --> PlatformAdapters`

			`%% Gateway to Core`
			`PlatformAdapters --> SessionMgr`
			`SessionMgr --> AIAgent`
			`Config --> AIAgent`

			`%% Core to Tools`
			`AIAgent --> ToolRouter`
			`ToolRouter --> FileTools`
			`ToolRouter --> TerminalTools`
			`ToolRouter --> WebTools`
			`ToolRouter --> BrowserTools`
			`ToolRouter --> DelegateTools`
			`ToolRouter --> CodeExecTools`
			`ToolRouter --> MCPTools`

			`%% Tools to Sandboxes`
			`TerminalTools --> LocalEnv`
			`TerminalTools --> DockerEnv`
			`TerminalTools --> ModalEnv`
			`TerminalTools --> DaytonaEnv`
			`TerminalTools --> SSHEnv`
			`TerminalTools --> SingularityEnv`
			`CodeExecTools --> DockerEnv`
			`CodeExecTools --> ModalEnv`

			`%% Credentials access`
			`AIAgent --> AuthJSON`
			`AIAgent --> DotEnv`
			`MCPTools --> MCPTokens`
			`FileTools --> SkillCreds`
			`PlatformAdapters --> ConfigYAML`

			`%% Data stores`
			`AIAgent --> ResponseDB`
			`AIAgent --> SessionDB`
			`AIAgent --> Memory`
			`AIAgent --> SkillsHub`

			`%% External services`
			`ModelClient --> LLMProviders`
			`WebTools --> WebSearch`
			`BrowserTools --> BrowserCloud`
			`ModalEnv --> CloudProviders`
			`DaytonaEnv --> CloudProviders`

			`%% Style definitions`
			`classDef external fill:#ff9999,stroke:#cc0000,stroke-width:2px`
			`classDef gateway fill:#ffcc99,stroke:#cc6600,stroke-width:2px`
			`classDef core fill:#ffff99,stroke:#cccc00,stroke-width:2px`
			`classDef tools fill:#99ff99,stroke:#00cc00,stroke-width:2px`
			`classDef sandbox fill:#99ccff,stroke:#0066cc,stroke-width:2px`
			`classDef credentials fill:#ff99ff,stroke:#cc00cc,stroke-width:3px`
			`classDef datastore fill:#ccccff,stroke:#6666cc,stroke-width:2px`
			`classDef external_svc fill:#ccffff,stroke:#00cccc,stroke-width:2px`

			`class Telegram,Discord,Slack,Email,Matrix,Signal,WebUI,APIServer external`
			`class PlatformAdapters,SessionMgr,Config gateway`
			`class AIAgent,ToolRouter,PromptBuilder,ModelClient core`
			`class FileTools,TerminalTools,WebTools,BrowserTools,DelegateTools,CodeExecTools,MCPTools tools`
			`class LocalEnv,DockerEnv,ModalEnv,DaytonaEnv,SSHEnv,SingularityEnv sandbox`
			`class AuthJSON,DotEnv,MCPTokens,SkillCreds,ConfigYAML credentials`
			`class ResponseDB,SessionDB,Memory,SkillsHub datastore`
			`class LLMProviders,WebSearch,BrowserCloud,CloudProviders external_svc`
			```

			```mermaid
			`flowchart TB`
			`subgraph AttackVectors["ATTACK VECTORS"]`
			`direction TB`
			`AV1["1. Malicious User Prompts"]`
			`AV2["2. Compromised Skills"]`
			`AV3["3. Malicious URLs"]`
			`AV4["4. File Path Manipulation"]`
			`AV5["5. Command Injection"]`
			`AV6["6. Credential Theft"]`
			`AV7["7. Session Hijacking"]`
			`AV8["8. Sandbox Escape"]`
			`end`

			`subgraph Targets["HIGH-VALUE TARGETS"]`
			`direction TB`
			`T1["API Keys & Tokens"]`
			`T2["User Credentials"]`
			`T3["Session Data"]`
			`T4["Host System"]`
			`T5["Cloud Resources"]`
			`end`

			`subgraph Mitigations["SECURITY CONTROLS"]`
			`direction TB`
			`M1["Dangerous Command Approval"]`
			`M2["Skills Guard Scanning"]`
			`M3["URL Safety Checks"]`
			`M4["Path Validation"]`
			`M5["Secret Redaction"]`
			`M6["Sandbox Isolation"]`
			`M7["Session Management"]`
			`M8["Audit Logging"]`
			`end`

			`AV1 -->\|exploits\| T4`
			`AV1 -->\|bypasses\| M1`
			`AV2 -->\|targets\| T1`
			`AV2 -->\|bypasses\| M2`
			`AV3 -->\|targets\| T5`
			`AV3 -->\|bypasses\| M3`
			`AV4 -->\|targets\| T4`
			`AV4 -->\|bypasses\| M4`
			`AV5 -->\|targets\| T4`
			`AV5 -->\|bypasses\| M1`
			`AV6 -->\|targets\| T1 & T2`
			`AV6 -->\|bypasses\| M5`
			`AV7 -->\|targets\| T3`
			`AV7 -->\|bypasses\| M7`
			`AV8 -->\|targets\| T4 & T5`
			`AV8 -->\|bypasses\| M6`
			```

			```mermaid
			`sequenceDiagram`
			`participant Attacker`
			`participant Platform as Messaging Platform`
			`participant Gateway as Gateway Adapter`
			`participant Agent as AI Agent`
			`participant Tools as Tool Layer`
			`participant Sandbox as Sandbox Environment`
			`participant Creds as Credential Store`

			`Note over Attacker,Creds: Attack Scenario: Command Injection`

			`Attacker->>Platform: Send malicious message:<br/>"; rm -rf /; echo pwned"`
			`Platform->>Gateway: Forward message`
			`Gateway->>Agent: Process user input`
			`Agent->>Tools: Execute terminal command`

			`alt Security Controls Active`
			`Tools->>Tools: detect_dangerous_command()`
			`Tools-->>Agent: BLOCK: Dangerous pattern detected`
			`Agent-->>Gateway: Request user approval`
			`Gateway-->>Platform: "Approve dangerous command?"`
			`Platform-->>Attacker: Approval prompt`
			`Attacker-->>Platform: Deny`
			`Platform-->>Gateway: Command denied`
			`Gateway-->>Agent: Cancel execution`
			`Note right of Tools: ATTACK PREVENTED`
			`else Security Controls Bypassed`
			`Tools->>Sandbox: Execute command<br/>(bypassing detection)`
			`Sandbox->>Sandbox: System damage`
			`Sandbox->>Creds: Attempt credential access`
			`Note right of Tools: ATTACK SUCCESSFUL`
			`end`
			```