Skip to content

Latest commit

 

History

History
37 lines (25 loc) · 1.45 KB

File metadata and controls

37 lines (25 loc) · 1.45 KB

Trust and Security

Baton is instruction content, not an executable runtime. That makes its trust boundary smaller, but not zero: once installed, its guidance can influence how an AI agent delegates work.

What to review

Before installation, review:

  • SKILL.md for trigger conditions and invariants;
  • every file under references/ for operational guidance;
  • agents/openai.yaml for the invocation prompt;
  • install/MANIFEST.md for the exact installed surface.

Supply-chain guidance

  • Install a release tag or full commit SHA, not a moving main branch.
  • Fetch the runbook and repository files from the same tag or SHA.
  • Review the diff before updating.
  • Do not pipe remote content directly into a shell.
  • Treat an AI-generated installation plan as a summary, not a substitute for reviewing changed files.

Runtime boundaries

Baton does not itself:

  • spawn workers or workflows;
  • modify files;
  • initialize or sync CodeGraph;
  • choose or change models;
  • bypass platform permissions;
  • override user, system, repository, or managed policies.

The active agent and platform remain responsible for authorization and execution. Baton explicitly requires a direct-execution fallback when delegation infrastructure is unavailable or unsafe.

Reporting a concern

Open a GitHub issue without secrets or private repository contents. For a sensitive report, contact the repository owner through an appropriate private channel before publishing exploit details.