conductorv2

Core

Security

Defense-in-depth: encryption, approval gates, audit logging, and circuit breakers.

Security Model

Conductor is designed with defense-in-depth. Every layer has independent security controls — no single failure compromises the system. Secrets never touch config files. Dangerous operations require explicit approval. Every action is logged immutably.

AES-256-GCM Encryption

Secrets are encrypted at rest using AES-256-GCM. Stored in an encrypted local credential store — never in config files.

Command Allowlisting

The shell plugin enforces a strict allowlist. Only explicitly permitted commands can be executed — no wildcards.

Approval Gates

Dangerous tools set requiresApproval: true. Execution halts until the user explicitly approves via the terminal or dashboard.

Audit Logging

SHA-256 chained append-only log at ~/.conductor/audit.log. Any modification breaks the chain, making tampering detectable.

Circuit Breakers

Each tool has an independent circuit breaker. After repeated failures the circuit opens, preventing cascading errors.

Encrypted Credential Store

Secrets are stored in an encrypted local credential store (AES-256-GCM). Never written to config.json or any plain-text file.

Secret Management

Secrets (API keys, tokens, passwords) are never stored in config.json. The flow:

  1. 01Plugin configSchema marks the field with secret: true
  2. 02conductor config setup prompts for the value
  3. 03Value is encrypted with AES-256-GCM using a machine-bound key
  4. 04Encrypted value is stored in the encrypted local credential store
  5. 05At runtime, Conductor decrypts on demand — never written to disk

Shell Allowlist

The shell plugin uses a strict allowlist — no wildcard permissions. Configure allowed and approval-required commands in your config:

~/.conductor/config.json
// ~/.conductor/config.json
{
  "plugins": {
    "shell": {
      "allowedCommands": [
        "ls", "cat", "echo", "pwd", "git", "npm", "node"
      ],
      "requireApproval": ["rm", "mv", "cp", "chmod"]
    }
  }
}

Circuit Breaker

Each tool has an independent circuit breaker. After 5 consecutive failures the circuit opens. All requests fail immediately until the half-open probe succeeds.

// Circuit breaker states
CLOSED    → Normal operation, requests pass through
OPEN      → All requests fail fast (circuit tripped)
HALF_OPEN → Testing whether the service has recovered

Audit Log

Every tool call is appended to ~/.conductor/audit.log. Each entry includes a SHA-256 hash of the previous entry — forming a chain that makes any tampering detectable.

{
  "id": "evt_01HXYZ",
  "timestamp": "2026-01-15T10:23:45.123Z",
  "tool": "filesystem.write",
  "input": { "path": "/home/user/app/index.ts" },
  "result": "success",
  "hash": "sha256:a3f9b2...",
  "prevHash": "sha256:4c8d1e..."
}

View the audit log with conductor audit list or query it via the HTTP API at GET /audit.

Rate Limiting

When running with HTTP transport, all endpoints are protected by configurable rate limits using express-rate-limit. The dashboard, webhook, and tool endpoints have independent limits. Defaults are 100 requests per minute per IP.

Next: Webhooks