Enterprise & Security
KCode includes enterprise-grade security features for organizations that need managed deployments, audit trails, and policy enforcement.
Managed Policies
Administrators can deploy policy files that enforce organization-wide settings. Users cannot override locked settings via CLI flags, environment variables, or config files.
Policy File Locations
| Path | Priority |
|---|---|
/etc/kcode/policy.json | Highest (system-wide) |
~/.kcode/managed-settings.json | User-level managed policy |
Policy Schema
{
"locked": {
"model": "mnemo:mark5-nano",
"permissionMode": "ask",
"maxBudgetUsd": 10
},
"allowedModels": ["mnemo:*", "llama-*"],
"blockedModels": ["gpt-*"],
"disallowedTools": ["Bash", "Agent"],
"allowedTools": ["Read", "Glob", "Grep", "Edit"],
"disableWebAccess": true,
"auditLog": true,
"orgId": "acme-corp",
"permissionRules": [
{ "pattern": "Bash(rm -rf *)", "action": "deny" },
{ "pattern": "Edit(/etc/**)", "action": "deny" }
],
"maxBudgetUsd": 5.0
}What Can Be Locked
- model — Force a specific model; users cannot switch via
-m - permissionMode — Lock permission mode;
-pflag is ignored - apiBase / apiKey — Lock API endpoint; env vars cannot override
- maxBudgetUsd — Hard budget cap per session
Model Restrictions
- allowedModels — Glob patterns for permitted models (e.g.,
mnemo:*) - blockedModels — Glob patterns for denied models (takes precedence over allowed)
- Primary, fallback, and tertiary models are all validated against restrictions
- Case-insensitive matching
Audit Logging
When auditLog: true is set in a managed policy, KCode writes structured audit entries to a SQLite database.
Tracked Events
| Event Type | Description |
|---|---|
tool_execute | Every tool execution with status and timing |
tool_blocked | Tool blocked by policy |
permission_denied | User denied a permission prompt |
permission_granted | User approved a permission prompt |
model_switch | When model routing switches models |
session_start / session_end | Session lifecycle |
policy_violation | Attempted policy bypass |
security_event | Security-relevant actions |
Audit Entry Fields
Each entry records: timestamp, event type, tool name, action, status, reason, model, session ID, org ID, input summary (truncated to 200 chars), cost, token count, and duration.
Querying Audit Logs
import { getAuditEntries } from "./core/audit-logger";
// Recent entries
const recent = getAuditEntries({ limit: 50 });
// Filter by type
const violations = getAuditEntries({ eventType: "policy_violation" });
// Filter by session
const session = getAuditEntries({ sessionId: "abc-123" });Security Hardening
SSRF Protection (WebFetch)
WebFetch blocks requests to internal/private networks:
- Localhost and loopback addresses (
127.0.0.0/8,::1) - Private ranges (
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16) - Link-local (
169.254.0.0/16) and cloud metadata endpoints - IPv4-mapped IPv6 addresses (
::ffff:127.0.0.1) - Manual redirect following with SSRF re-validation on each hop
Protected Directories
Write operations are blocked for system directories regardless of permission mode:
- System:
/etc,/usr,/bin,/sbin,/lib,/boot,/proc,/sys,/dev - Home dotfiles:
~/.ssh,~/.gnupg,~/.aws,~/.kube,~/.docker - Sensitive files:
.env,.env.local,.env.production,.gitconfig,.netrc - Symlink resolution prevents directory traversal attacks
MCP Tool Permissions
Per-server tool restrictions with glob matching:
{
"mcpServers": {
"db-server": {
"command": "npx",
"args": ["db-mcp-server"],
"allowedTools": ["query_*", "list_*"],
"blockedTools": ["drop_*", "delete_*"]
}
}
}Webhook Hook Security
HTTP hooks include:
- Private IP/SSRF blocking (same rules as WebFetch)
- HTTPS requirement when using
auth(Bearer tokens) - URL protocol validation (only
http://andhttps://) - Request timeouts (default 10s)
- Response body size limits (64KB)
Bash Safety Analysis
Commands are analyzed before execution for:
- Destructive operations (
rm -rf,git reset --hard,chmod 777) - Command injection patterns (pipe-to-shell, backtick injection, quote desync)
- Secrets in arguments
- Network-affecting commands
- Dangerous redirections