Ringtail

Security

The guarantee, the threat model, how to audit it yourself, and how to report a vulnerability.

Ringtail is a credentials tool, so trust is the product. This page states the one guarantee it lives or dies by, the threat model behind it, and how you can audit it yourself in a few minutes. It mirrors SECURITY.md in the repo.

The guarantee

Your coding agent orchestrates the whole flow โ€” discover โ†’ acquire โ†’ validate โ†’ provision โ†’ sync โ€” but it never sees a secret value. This is not a policy we ask you to trust; it is a structural invariant of the code, tested and CI-gated. The full mechanism is in The guarantee.

Threat model

The agent (Claude, Codex, Cursor, Gemini) is a capable but untrusted party. It runs your task, authors wizards, and triggers actions over MCP. Assume it could be compromised, prompt-injected, or simply buggy โ€” the guarantee must hold even if the agent turns hostile. Concretely, we defend against:

  • Value exfiltration via MCP โ€” a tool that returns a value would hand it straight to the agent. โ†’ No such tool exists.
  • Value leakage via the state stream โ€” the live SSE feed could echo a pasted value back. โ†’ The stream carries names + statuses only.
  • The agent intercepting the paste โ€” if the paste flowed through the agent it would see the value en route. โ†’ Paste bypasses the agent entirely.
  • Injection through agent-authored UI โ€” freeform HTML/markdown would be an injection surface. โ†’ Every payload is schema-validated; malformed is rejected.
  • Network egress / phone-home โ€” analytics could ship data off-box. โ†’ Zero telemetry. The only network targets are the local daemon and the real provider APIs.

Out of scope: an attacker with local root on your machine (they can read ~/.ringtail directly โ€” that's the OS's trust boundary, not the agent's), and the provider's own handling of the key after mint. For exactly where those keys sit and how to revoke them, see Where your root keys live; for why a root key can only ever reach its provider's own host, see The domain allowlist.

Audit it yourself

It's OSS โ€” don't trust us, read it. The whole guarantee is a small surface:

# 1. Read the enforcement (~800 lines): the MCP tool surface + the leak-guard test.
$EDITOR services/daemon/src/mcp.ts services/daemon/src/no-leak.test.ts

# 2. Run the guard. It fails loudly if any value ever reaches the agent.
bun run check:no-leak

# 3. Run the full offline lifecycle (acquire โ†’ validate โ†’ provision โ†’ sync, no cloud).
cd libs/core && bun test

If you can find a code path from a stored secret to an agent-visible message, that's a critical bug โ€” please report it.

Reporting a vulnerability

Do not open a public issue for a security report. Use GitHub's private vulnerability reporting (the repo's Security โ†’ Report a vulnerability tab), or email security@ringtailkeys.com, with steps to reproduce. We aim to acknowledge within 72 hours. Because the leak-guard is the product's spine, a confirmed break of the guarantee is treated as top severity.