Core
Security
Defense-in-depth: encryption, approval gates, audit logging, and circuit breakers.
Security Model
Conductor is designed with defense-in-depth. Every layer has independent security controls — no single failure compromises the system. Secrets never touch config files. Dangerous operations require explicit approval. Every action is logged immutably.
AES-256-GCM Encryption
Secrets are encrypted at rest using AES-256-GCM. Stored in an encrypted local credential store — never in config files.
Zero-Knowledge Cloud
Credentials are encrypted on your device before upload. We never see your plaintext keys — only encrypted blobs.
Command Allowlisting
The shell plugin enforces a strict allowlist. Only explicitly permitted commands can be executed — no wildcards.
Approval Gates
Dangerous tools set requiresApproval: true. Execution halts until the user explicitly approves via the terminal or dashboard.
Audit Logging
SHA-256 chained append-only log at ~/.conductor/audit.log. Any modification breaks the chain, making tampering detectable.
Circuit Breakers
Each tool has an independent circuit breaker. After repeated failures the circuit opens, preventing cascading errors.
Encrypted Credential Store
Secrets are stored in an encrypted local credential store (AES-256-GCM). Never written to config.json or any plain-text file.
Self-Host Option
Run your own Conductor Cloud. Full data sovereignty — your credentials never leave your infrastructure.
Secret Management
Secrets (API keys, tokens, passwords) are never stored in config.json. The flow:
- 01Plugin configSchema marks the field with secret: true
- 02conductor config setup prompts for the value
- 03Value is encrypted with AES-256-GCM using a machine-bound key
- 04Encrypted value is stored in the encrypted local credential store
- 05At runtime, Conductor decrypts on demand — never written to disk
Shell Allowlist
The shell plugin uses a strict allowlist — no wildcard permissions. Configure allowed and approval-required commands in your config:
// ~/.conductor/config.json
{
"plugins": {
"shell": {
"allowedCommands": [
"ls", "cat", "echo", "pwd", "git", "npm", "node"
],
"requireApproval": ["rm", "mv", "cp", "chmod"]
}
}
}Circuit Breaker
Each tool has an independent circuit breaker. After 5 consecutive failures the circuit opens. All requests fail immediately until the half-open probe succeeds.
// Circuit breaker states
CLOSED → Normal operation, requests pass through
OPEN → All requests fail fast (circuit tripped)
HALF_OPEN → Testing whether the service has recoveredAudit Log
Every tool call is appended to ~/.conductor/audit.log. Each entry includes a SHA-256 hash of the previous entry — forming a chain that makes any tampering detectable.
{
"id": "evt_01HXYZ",
"timestamp": "2026-01-15T10:23:45.123Z",
"tool": "filesystem.write",
"input": { "path": "/home/user/app/index.ts" },
"result": "success",
"hash": "sha256:a3f9b2...",
"prevHash": "sha256:4c8d1e..."
}View the audit log with conductor audit list or query it via the HTTP API at GET /audit.
Rate Limiting
When running with HTTP transport, all endpoints are protected by configurable rate limits using express-rate-limit. The dashboard, webhook, and tool endpoints have independent limits. Defaults are 100 requests per minute per IP.
Zero-Knowledge Cloud Sync
Conductor Cloud uses a zero-knowledge architecture for credential sync:
- 01You set an encryption password in the dashboard or CLI
- 02Your credentials are encrypted locally using AES-256-GCM with PBKDF2 key derivation
- 03Only the encrypted blob (ciphertext, IV, salt) is uploaded to the cloud
- 04On other devices, you enter your password to decrypt credentials locally
- 05We never see your plaintext API keys — ever
Important: If you forget your encryption password, your credentials cannot be recovered. There is no password reset because we never store the plaintext.
Self-hosting option available — see Self-Hosting Guide to run your own cloud server.