Data egress & security
crab’d runs in your CI with access to the checked-out repo and a forge token.
What leaves the runner
Section titled “What leaves the runner”- Repo content → the model provider. Prompts (diffs, file contents, comments) go to the provider
behind your chosen
model. This is the main egress path. - Forge API calls. Comments, reviews, commits, and PRs, authenticated as crab’d’s identity.
- MCP servers. If configured, the agent may send data to them.
- Web search. When
web_search.enabled(default), the agent’s search queries go to the search provider (Tavily or DuckDuckGo). Setweb_search.enabled: falseto disable.
Provider and forge credentials are read from the environment and never written to logs, config, or comments.
Control who can trigger
Section titled “Control who can trigger”crab’d only acts for allowlisted author-associations, and never for bots (which prevents comment loops):
permissions: allowed_associations: [OWNER, MEMBER, COLLABORATOR]An unauthorized actor’s mention is ignored before any model call.
Control which providers see your code
Section titled “Control which providers see your code”The provider allowlist is the core egress guardrail. It is empty by default (any provider allowed) so crab’d works with zero config — set it to restrict. Once set, a model whose provider isn’t listed fails the run before anything is sent:
providers: allowlist: [anthropic]Route approved providers through your own proxy with the egress gateway for centralized logging or filtering.
Lock it at the org level
Section titled “Lock it at the org level”A repo can otherwise set its own providers.allowlist. Lock it in the org config so no repo can route
code to an unapproved provider or a custom URL:
providers: allowlist: [anthropic] gateway_url: https://gateway.example.comgovernance: locked: [providers.allowlist, providers.custom, providers.gateway_url]Locked keys can’t be overridden by the repo file, CI inputs, or env. See Config layering & governance.
The sandbox
Section titled “The sandbox”The agent edits code in a local sandbox rooted at the checked-out repo. Its shell/tools get an
empty env allowlist by default, no host secrets leak into the model’s bash tool. Expose specific
vars only when a task needs them (via CRABD_SANDBOX_ENV).
Checklist for a locked-down org
Section titled “Checklist for a locked-down org”- Org
.crabd.ymlsets and locksproviders.allowlist. -
permissions.allowed_associationsrestricted to trusted roles. - Full prompt override disabled except for named repos (
governance.full_override_repos). - Provider keys and forge credentials in secrets, never in
.crabd.yml. - Optional: route providers through an egress
gateway_url.
