Security
Security
Section titled “Security”LingXiao is powerful by design. It can read and write files, run terminals, execute shell/Python, drive browsers, mutate Git state, open terminals, execute workflows, call external models, and spawn/coordinate agents. Treat the web server token as access to the host workspace.
Local-First
Section titled “Local-First”LingXiao runs centered on the local engineering directory by default:
- SQLite stores sessions, tasks, messages, and agent state
- Configuration at
~/.lingxiao/settings.json - Web server token protects local API
Web Server Token
Section titled “Web Server Token”Authentication Methods
Section titled “Authentication Methods”| Endpoint Group | Auth Method |
|---|---|
/health, static assets | Public |
/api/v1/** | server token (header x-lingxiao-token or ?token= query) |
/api/v1/acp | server token + ACP credentials |
/llm/* | gateway virtual key |
- HTML pages inject
window.__LINGXIAO_TOKEN__to bootstrap subsequent requests - Hardened mode disables
?token=query, accepting only header authentication
Hardened Mode
Section titled “Hardened Mode”Auto-enabled on non-loopback binding:
- Disables query token, only
x-lingxiao-tokenheader accepted - Rate limiting cooldown: 30 seconds
- Non-localhost requests not exempt from rate limiting
- File read/write routes enforce root-path containment checks
- Worker task
write_scopeisolation enforced - Terminal sessions must use a
cwdinside the workspace root
Permission Controls
Section titled “Permission Controls”Permission Modes
Section titled “Permission Modes”| Mode | Description |
|---|---|
strict | All write operations require confirmation (default) |
dev | Development mode, relaxed confirmation |
networked | Network mode, allows network tools |
yolo | No confirmation needed (use with caution) |
Permission Layers
Section titled “Permission Layers”/mode, /allow-tool, /deny-tool, /ask-tool persist to different layers:
session: SQLitesession_stateproject:.lingxiao/permissions.project.jsonlocal:.lingxiao/permissions.local.jsonuser:~/.lingxiao/permissions.user.json
Worker Write Scope Isolation
Section titled “Worker Write Scope Isolation”Each Worker task can be configured with write_scope, limiting its file write range. Enforced in hardened mode; recommended even when not hardened.
Secret Management
Section titled “Secret Management”Potential Secrets
Section titled “Potential Secrets”- Model provider API keys (in config/credentials)
- Git tokens
- Server token
- Browser cookies/session state
- Environment variables passed to tools
- Do not expose raw secrets through
/api/v1/settings(API responses are masked) - Do not embed secrets in generated docs or logs
- User-defined tools should not receive unrestricted env by default
- Mask Git tokens and provider keys in UI/API responses
- Do not put tokens into Git remote URLs. Use GitHub CLI or a credential manager
Git Publishing Safety
Section titled “Git Publishing Safety”Before pushing a fresh repository:
- Verify
.gitignoreexcludes dependencies, build output, local runtime state, archives, databases, and secrets - Run
git status --shortand confirm nonode_modules,dist,.lingxiao,.env, SQLite, archive, or token-bearing file is staged - Run a secret scan with
rgfor common token prefixes - Keep remote URLs clean (
https://github.com/owner/repo.git, nothttps://user:token@github.com/owner/repo.git)
Files That Should Not Be Committed
Section titled “Files That Should Not Be Committed”node_modules/dist/.lingxiao/*.db*.db-wal*.db-shm.env*.log~/.lingxiao/Rate Limiting
Section titled “Rate Limiting”- In-process self-calls (no remoteAddress) → always exempt
- Non-hardened mode localhost → exempt
- Hardened mode / non-localhost → not exempt, 429 triggers 30-second cooldown
- Local LLM Gateway per virtual key quota:
rpm/tpm/daily_token_budget
Worktree Isolation
Section titled “Worktree Isolation”Each task can run in an isolated Git worktree to avoid working directory conflicts:
lingxiao start --worktree feature-xOn exit with uncommitted changes, you will be asked whether to keep the worktree.