Security And Privacy
Anode is powerful because it can read your workspace, run tools, and call model providers. Treat it like a capable local developer process: configure the providers and tools you trust, review risky actions, and keep sensitive workspaces scoped.
What Leaves Your Machine
Section titled “What Leaves Your Machine”Anode sends conversation context, selected repository context, tool results, and
your prompt to the active model provider. The exact provider depends on the
selected provider/model, profile defaults, or TUI model picker state.
These tools can also contact external services:
| Surface | External Contact |
|---|---|
web_search | Search provider or fallback search endpoint. The only external-fetch primitive; raw page bodies use bash + curl under the same network policy. |
oracle and code_review | A model-backed read-only subagent |
| MCP tools | Whatever server you configured |
| Toolbox and plugin tools | Whatever the executable itself does |
Use a read-only profile such as review, find, or oracle when you want the
model to investigate without edit or shell tools.
What Stays Local
Section titled “What Stays Local”Local state includes:
- config files under
~/.config/anode; - session and run history under
~/.config/anode/sessionsunless configured otherwise; - repo index cache under
~/.cache/anode/indexes; - project memory under
~/.config/anode/memory; - daemon run lists in daemon memory;
- workspace files changed by tools.
Session history can contain prompts, assistant output, file paths, command output, and tool results. Do not copy session stores into tickets or public repos without reviewing them first.
Permissions
Section titled “Permissions”Every tool has a permission level. Read-only tools run automatically. File mutations and shell commands are gated by approval mode and permission policy.
| Approval Mode | Use |
|---|---|
ask | Headless default. Ask before confirmation-gated tools. |
auto | TUI default. Auto-approve safe-looking shell calls, still protect writes and destructive commands. |
unrestricted | Skip confirmation. Use only in disposable workspaces. |
For automation, prefer --allow-tool, a read-only profile, and explicit
permission rules over --approval unrestricted. yolo is an alias for
unrestricted.
Example:
anode -x \ --profile review \ --allow-tool read \ --allow-tool grep \ --allow-tool glob \ "review the current diff for risky behavior"Workspace Trust
Section titled “Workspace Trust”Workspace files can affect Anode in several ways:
| File | Risk Control |
|---|---|
AGENTS.md | Instructions are loaded as context, not executed. Read them like project policy. |
.agents/permissions.json | Project permission rules. Review before trusting an unfamiliar repo. |
.mcp.json and anode.json MCP servers | Require explicit MCP trust unless workspace MCP is enabled. |
.lsp.json | Starts language servers for matching file types. |
.anode/hooks.json or hooks.json | Shell hooks can run commands on lifecycle events. |
| Skill directories | Skills can add instructions and, when enabled, skill-local MCP servers. |
Run inspection commands before enabling an unfamiliar project:
anode permissions listanode mcp doctoranode hooks doctoranode tools list --profile reviewSuccessful checks end with MCP doctor passed. and Hook diagnostics passed..
Web And Network Guards
Section titled “Web And Network Guards”web_search domain filters reject localhost and private network targets to
reduce accidental SSRF-style access. The same network policy applies when
agents fall back to bash + curl for raw page bodies. You can additionally
block hosts in config:
{ "web": { "blockedHosts": ["*.internal.example.com"], "enabled": true }}Set ANODE_WEB_ENABLED=false or "web": {"enabled": false} when web access
should not be available.
Secrets
Section titled “Secrets”Provider keys can come from environment variables, config references such as
"{env:ANTHROPIC_API_KEY}", or auth stores. Prefer environment references over
literal secrets in config files.
Avoid pasting secrets into prompts. If a tool result contains a secret, it may be sent back to the active model as context in the next turn.
Safe Operating Habits
Section titled “Safe Operating Habits”- Use
review,find, ororaclefor audits and discovery. - Use
--allow-toolfor scripts and CI. - Keep
unrestrictedapproval for throwaway sandboxes. - Review MCP, toolbox, plugin, and hook config before trusting a repository.
- Use
anode debug bundleonly when you are comfortable sharing the included config and optional thread data.
Keep going: