Skip to content

Data egress & security

crab’d runs in your CI with access to the checked-out repo and a forge token.

  • Repo content → the model provider. Prompts (diffs, file contents, comments) go to the provider behind your chosen model. This is the main egress path.
  • Forge API calls. Comments, reviews, commits, and PRs, authenticated as crab’d’s identity.
  • MCP servers. If configured, the agent may send data to them.
  • Web search. When web_search.enabled (default), the agent’s search queries go to the search provider (Tavily or DuckDuckGo). Set web_search.enabled: false to disable.

Provider and forge credentials are read from the environment and never written to logs, config, or comments.

crab’d only acts for allowlisted author-associations, and never for bots (which prevents comment loops):

.crabd.yml
permissions:
allowed_associations: [OWNER, MEMBER, COLLABORATOR]

An unauthorized actor’s mention is ignored before any model call.

The provider allowlist is the core egress guardrail. It is empty by default (any provider allowed) so crab’d works with zero config — set it to restrict. Once set, a model whose provider isn’t listed fails the run before anything is sent:

.crabd.yml
providers:
allowlist: [anthropic]

Route approved providers through your own proxy with the egress gateway for centralized logging or filtering.

A repo can otherwise set its own providers.allowlist. Lock it in the org config so no repo can route code to an unapproved provider or a custom URL:

<owner>/.crabd-config/.crabd.yml
providers:
allowlist: [anthropic]
gateway_url: https://gateway.example.com
governance:
locked: [providers.allowlist, providers.custom, providers.gateway_url]

Locked keys can’t be overridden by the repo file, CI inputs, or env. See Config layering & governance.

The agent edits code in a local sandbox rooted at the checked-out repo. Its shell/tools get an empty env allowlist by default, no host secrets leak into the model’s bash tool. Expose specific vars only when a task needs them (via CRABD_SANDBOX_ENV).

  • Org .crabd.yml sets and locks providers.allowlist.
  • permissions.allowed_associations restricted to trusted roles.
  • Full prompt override disabled except for named repos (governance.full_override_repos).
  • Provider keys and forge credentials in secrets, never in .crabd.yml.
  • Optional: route providers through an egress gateway_url.