Unleashed's primary threat is accidental destruction by a hallucinating LLM — not a human attacker with network access. Claude Code can:

• Delete files outside the project directory
• Overwrite system configuration
• Exfiltrate secrets via Bash commands (e.g., curl with env vars)
• Run destructive git operations (push --force, reset --hard)

These are probabilistic (LLM hallucination) not deterministic (targeted attack). The safety system is designed for this threat model — it doesn't try to stop a sophisticated attacker who controls the terminal.

• Targeted attack on unleashed itself — an attacker with shell access can just kill the process
• Malicious Claude Code updates — we trust Anthropic's distribution
• Side-channel attacks — timing, power analysis, etc.
• Social engineering — the user is the only operator

flowchart TD
    subgraph TRUSTED ["Trusted (User's Machine)"]
        direction TB
        USER["User"]
        UNLEASHED["Unleashed Process"]
        CC["Claude Code Process"]
        FS["File System<br/>(within safe_paths)"]
    end

    subgraph SEMI ["Semi-Trusted (Boundaries)"]
        direction TB
        FSOUT["File System<br/>(outside safe_paths)"]
        GIT["Git Remote<br/>(push operations)"]
    end

    subgraph UNTRUSTED ["Untrusted (External)"]
        direction TB
        API["Anthropic API<br/>(sentinel Haiku calls)"]
        WEB["Internet<br/>(curl, wget, WebFetch)"]
        LLM["LLM Output<br/>(Claude's responses)"]
    end

    USER --> UNLEASHED
    UNLEASHED --> CC
    CC --> FS
    CC --> FSOUT
    CC --> GIT
    CC --> WEB
    UNLEASHED -->|"sentinel check"| API
    CC -.->|"generates"| LLM
    LLM -.->|"could contain<br/>prompt injection"| CC

    style UNTRUSTED fill:#ef4444,stroke:#991b1b,color:#fff
    style SEMI fill:#fbbf24,stroke:#92400e,color:#000
    style TRUSTED fill:#4ade80,stroke:#166534,color:#000

Critical: Sentinel API calls send command text to Anthropic. If the command contains inline secrets (e.g., curl -H "Authorization: Bearer sk-...") those secrets reach the Haiku API. This is inherent to the evaluation model — sentinel must see the command to evaluate it. See "Privacy Considerations" below.

See Sentinel Safety Gate for full details.

• Local rules: 19 hard block patterns, 12 safe patterns, path-based rules
• API evaluation: Haiku LLM evaluates ambiguous commands
• Fail-open: API errors don't freeze the session

Operations are allowed or blocked based on directory:

• Safe paths: C:\Users\mcwiz\Projects\, /c/Users/mcwiz/Projects/
• Excluded paths: OneDrive, AppData, .cache, .local, Dropbox, Google Drive, Windows, Program Files

19 regex patterns for always-dangerous commands: dd, mkfs, shred, format, git push --force, git reset --hard, rm -rf /, etc.

256-byte overlap between PTY read chunks prevents missing permission patterns at read boundaries.

1. Sentinel API calls: Command text (up to 500 chars) is sent to Anthropic's Haiku API for evaluation. This includes Bash commands, file paths, and command arguments. No file contents are sent.

2. Mirror transcripts: Stored locally in logs/. Contain a filtered view of the session. Not transmitted anywhere.

3. Shadow logs: Stored locally in logs/. Contain tool type and arguments for every detected permission prompt.

4. Friction logs: Stored locally as JSONL. Contain permission prompt timing and verdict data.

5. No telemetry: Unleashed sends no analytics, usage data, or crash reports.

Both keys are loaded from environment variables, sourced from ~/.agentos_secrets in .bash_profile. The secrets file is not version-controlled.

Known leak path (#38): When the Anthropic SDK raises an exception, str(e) may include HTTP request headers containing the API key. The current _api_check() returns str(e) as the error reason, which propagates to stderr and log files.

See For Security Reviewers for a structured review guide.