docs/user-guide/reference/security
Security Guide reference
Comprehensive security guidelines for using Babysitter in development and production environments. This guide covers best practices for handling code, credentials, and network security.
Continue reading
Nearby pages in the same section.
Security Guide
**Version:** 1.0 **Last Updated:** 2026-01-31
Comprehensive security guidelines for using Babysitter in development and production environments. This guide covers best practices for handling code, credentials, and network security.
---
Table of Contents
- Production Setup - Authentication Configuration
- Environment Variables - Breakpoints for Sensitive Operations - Journal File Review
- Reviewing Generated Code - Security Test Coverage - Security Scanning
- Overview
- General Security
- Credential Management
- Code Review Security
- Network Security
- Compliance Considerations
- Related Documentation
---
Overview
Babysitter handles code generation, execution, and may interact with credentials during workflows. Following proper security practices ensures that:
- Sensitive data is not exposed in logs or version control
- Production systems are protected through approval gates
- Network services are properly secured
- Audit trails are maintained for compliance
---
General Security
Best Practices
**DO:**
- Review all code changes before final approval
- Use breakpoints before deploying to production
- Keep
.a5c/directories out of version control (add to.gitignore) - Regularly update to latest versions
- Run with least privilege necessary
**DON'T:**
- Commit
.a5c/directories with sensitive data - Run untrusted process definitions without review
- Store credentials in journal files
.gitignore Configuration
Ensure your .gitignore includes:
# Babysitter run data
.a5c/
# Environment files with secrets
.env
.env.local
.env.*.local
# Credentials
*.pem
*.key
credentials.json---
Credential Management
Environment Variables
Use environment variables for secrets (recommended):
// In process definition
const apiKey = process.env.API_KEY;
await ctx.task(deployTask, { apiKey });**Never hardcode credentials:**
// BAD - Don't do this!
const apiKey = "sk-1234567890abcdef";
// GOOD - Use environment variables
const apiKey = process.env.API_KEY;Breakpoints for Sensitive Operations
Use breakpoints to require human approval for sensitive operations:
await ctx.breakpoint({
question: 'Deploy with production credentials?',
title: 'Production Deployment',
context: { environment: 'production', critical: true }
});Journal File Review
Review journal files before sharing to ensure no secrets were leaked:
# Check for leaked secrets
grep -i "password\|secret\|key\|token" .a5c/runs/*/journal/journal.jsonl**Security tip:** Always set BABYSITTER_ALLOW_SECRET_LOGS=false in production to prevent sensitive data from appearing in logs.
---
Code Review Security
Reviewing Generated Code
Before approving breakpoints, review generated code for security issues:
- **SQL injection vulnerabilities** - Ensure parameterized queries are used
- **XSS vulnerabilities** - Check for proper output encoding
- **Insecure dependencies** - Review any new package additions
- **Hardcoded secrets** - Scan for API keys, passwords, tokens
Security Test Coverage
Check test coverage for security-related tests:
- Authentication tests
- Authorization tests
- Input validation tests
- Error handling tests
Security Scanning
Run security scans before approval:
const security = await ctx.task(securityScanTask, {
tools: ['npm audit', 'eslint-plugin-security']
});**Recommended security tools:**
| Tool | Purpose |
|---|---|
npm audit | Dependency vulnerability scanning |
eslint-plugin-security | Static analysis for security issues |
snyk | Comprehensive vulnerability detection |
semgrep | Code pattern matching for security |
---
Network Security
For Distributed Teams
1. **Use VPN** for secure access 2. **Implement authentication** on all services 3. **Use HTTPS** for all external connections 4. **Audit access logs** regularly
Network Configuration Checklist
| Requirement | Implementation |
|---|---|
| Local-only binding | --host 127.0.0.1 |
| Access logging | Review service logs |
| Firewall rules | Restrict to known IPs/VPN |
---
Compliance Considerations
For Regulated Environments
Babysitter provides several features that support compliance requirements:
| Requirement | Babysitter Feature |
|---|---|
| **Audit trail** | Journal provides complete event history |
| **Approval gates** | Breakpoints create approval records |
| **Access control** | Limit who can approve production deployments |
| **Data retention** | Define policy for old run cleanup |
| **Encryption** | Encrypt .a5c/ directories if needed |
Audit Trail
Every action in Babysitter is logged in the journal:
# View complete event history for a run
cat .a5c/runs/<runId>/journal/journal.jsonl | jq .
# Filter for approval events
jq 'select(.type=="BREAKPOINT_RELEASED")' .a5c/runs/*/journal/journal.jsonlData Retention Policy
Implement a cleanup policy for old runs:
# Example: Remove runs older than 30 days
find .a5c/runs -maxdepth 1 -type d -mtime +30 -exec rm -rf {} \;Encryption at Rest
For sensitive environments, encrypt the .a5c/ directory:
# Using encrypted filesystem
# Mount encrypted volume at .a5c/
# Or use encryption tools
gpg --symmetric --cipher-algo AES256 .a5c/runs/sensitive-run/journal/journal.jsonl---
Related Documentation
- Configuration Reference - Environment variables and settings
- CLI Reference - Command-line options
- Troubleshooting - Common issues and solutions
- Glossary - Term definitions