Security Model

How GhostyBot protects your code, credentials, and infrastructure

GhostyBot lets Claude take real actions on real systems. The security model is built around three principles: nothing runs without a human approving it, destructive patterns require an admin, and every event is logged.

Every tool call is approved in Slack

When Claude wants to run a shell command, edit a file, call an API, or touch any tool, the bridge posts a message in the Slack channel with the exact action and two buttons: Approve and Deny. Nothing happens until a human clicks one.

Because approvals happen in Slack, you can approve from desktop, mobile, or browser — from any device where you're signed in.

Destructive patterns require an admin

A set of known-destructive patterns are flagged as admin-only. If a non-admin tries to approve one, the bridge posts an ephemeral rejection listing the users who can. No accidental prod deploys, no “oops I clicked the wrong button” database drops.

Current admin-only patterns

  • git push to main or master
  • git push --force anywhere
  • rm -rf against project roots
  • DROP TABLE, TRUNCATE (SQL)
  • vercel --prod, firebase deploy
  • npm publish
  • gh repo delete

Admin approval lists are configured per tenant and can be extended.

Per-tenant isolation

Each tenant in Phase 2 runs on its own dedicated bridge machine, with its own Slack workspace, its own Claude subscription, and its own API key. The 1:1 bridge-to-tenant model means data never crosses organizational boundaries on our side.

  • One Mac per tenant — no shared infrastructure at the bridge layer
  • Per-tenant API keys, tenant-scoped database rows, tenant-scoped audit logs
  • Magic-link auth for tenant admins — no shared passwords
  • Your code and files stay on your machine — the bridge streams messages, not source

Full audit log

Every meaningful event is written to the audit log: invites issued, invites accepted, sessions created, sessions paused or resumed, approvals, rejections, admin-only refusals. Each row is tenant-scoped and time-stamped.

Tenant admins can export the log at any time for compliance review or incident investigation.

Transport & secrets

  • All bridge ↔ server traffic is TLS (Supabase Realtime channels)
  • API keys are shown to the user once at setup, stored as salted hashes on our side
  • Slack bot tokens are encrypted at rest in Supabase
  • Bridge only accepts commands for channels it owns, validated with per-tenant HMAC

Reporting a security issue

If you find a vulnerability, email security@ghost.haus with a description and steps to reproduce. We'll acknowledge within 48 hours and keep you updated through resolution.