Security model
VibeAround exposes powerful things — a terminal, a coding agent with shell access, your provider credentials — so its trust boundaries are worth understanding precisely. The short version: everything runs on your mach...
VibeAround exposes powerful things — a terminal, a coding agent with shell access, your provider credentials — so its trust boundaries are worth understanding precisely. The short version: everything runs on your machine, localhost is trusted after token auth, anything reaching in from outside must pair, and credentials never leave the daemon.
Trust zones
zone 0 the daemon process holds credentials, spawns agents
zone 1 localhost clients desktop app, local browser, va CLI — token auth
zone 2 tunneled browsers pairing code + token required
zone 3 IM platforms messages only, mediated by plugins and permission cardsZone 1: local clients and the auth token
Every daemon start generates a fresh random bearer token, written to ~/.vibearound/auth.json. All protected HTTP and WebSocket routes require it, as Authorization: Bearer <token> or a ?token= query parameter. The desktop app opens the dashboard with the token appended; the va CLI reads the token file; a browser that presents a stale token after a daemon restart is rejected and must reload through an authorized entry point.
Practical consequences:
- Another local user (or malware) cannot drive your agents just because the port is open — it needs the token file, which lives in your home directory.
- Restarting the daemon invalidates every previously issued URL.
Zone 2: remote access through tunnels
Tunnels (ngrok, localtunnel, Cloudflare) publish the dashboard to a public URL. Two gates apply:
- Pairing. A browser on a non-local hostname must complete pairing: the dashboard shows a 6-digit code that expires after 60 seconds, and the code must be confirmed from an already-trusted surface — typed into a connected IM chat (
/pair <code>) or approved locally. Pairing binds that browser to the daemon's current auth token (all TTLs: timers and limits). - Token. After pairing, the same bearer-token rules apply as locally.
Local hostnames (localhost, 127.0.0.1, ::1, and the desktop app's own origins) skip pairing but never skip the token.
Zone 3: IM platforms
IM messages arrive through channel plugins. The platform never gets a shell; it gets a conversation:
- Permission cards. When an agent wants to run a command or edit files beyond its allowed scope, the permission request is rendered as an interactive card in the chat. The agent's turn blocks until someone taps a choice. If the plugin dies mid-request, the request is cancelled rather than silently approved.
- Route isolation. Each chat maps to its own thread and workspace; a group chat cannot see or steer another chat's agent.
- Attachment hygiene. File keys from plugins are validated against path traversal (
.., separators) before becoming file references; unsafe keys are dropped. - Bot credentials (platform tokens) live in
settings.jsonon your machine and are passed only to the owning plugin process.
Previews: sharing without exposing
Live previews of dev servers and rendered Markdown get two URL forms:
| URL | Audience | Lifetime |
|---|---|---|
/preview/u/<slug> | Owner (token-authenticated) | While the preview exists |
/preview/s/<slug> | Anyone with the link | 600 seconds, then expires |
Share links are the only intentionally unauthenticated surface, scoped to one preview and time-boxed to 10 minutes. Everything else on the tunnel still requires pairing + token.
Credential handling
- Provider API keys are stored in the profile store under
~/.vibearound/and injected into upstream requests by the daemon. Rendered agent configs contain only local bridge URLs — a leaked agent config exposes no provider key. - The bridge and agent-as-API endpoints are loopback-only and sit behind a local-bridge gate; they are not reachable through tunnels.
- The daemon's own auth token file is plaintext in your home directory (same trust level as
~/.ssh); treat backups accordingly. - Bridge request/response recording for the launch popup is held in memory only and never written to disk.
What VibeAround does not protect against
Honest limits of the model:
- A malicious local root/user account. Anyone who can read your home directory has your token and credentials.
- Malicious agent behavior within granted permissions. Permission cards gate escalations, but a command you approve runs with your user's full rights.
- IM platform compromise. If someone controls your Telegram account, they can talk to your agent as you — with permission cards as the remaining barrier. Prefer per-chat bots and private chats for sensitive work.
Source anchors: src/server/src/web_server/auth.rs (token middleware, local-origin rules), src/core/src/auth/ (token file, pairing TTL), src/core/src/previews/store.rs (SHARE_TTL_SECS), src/core/src/routing.rs (attachment key validation), src/server/src/web_server/mod.rs (route protection layout).
Last verified: v0.7.11
Connect WhatsApp
WhatsApp connects through Baileys (an unofficial WhatsApp Web client) with QR login on first run; the session persists to disk afterwards.
Concepts
VibeAround's runtime is built around six concepts: workspace , thread , route , session , agent , and profile . Every feature — IM chat, web chat, handover, agent switching — is a combination of these six. This page d...