Security model

Voss is local-first and repo-scoped. The security model is built around explicit boundaries.

Boundaries

Boundary	Purpose
Permission modes	Separate read-only planning from editing and automation
Cwd jail	Keep file access rooted in the selected repository
Edit scope	Limit writes during `voss edit`
Tool classification	Distinguish read-only and mutating tools
Diff preview	Show file changes before risky approvals
Shell allowlist	Limit command execution
Session redaction	Avoid storing provider credentials
Project memory	Keep `VOSS.md` and `.voss/memory` local to the repo
TUI modals	Route permission and scope decisions through explicit review screens

voss edit grants write access only to explicit targets and relevant existing tests. Other writes require approval after a diff preview.

Shell execution is mutating and potentially risky. It is denied in edit mode and remains subject to lower-level allowlist behavior in broader modes.

Voss sessions must not store provider credentials or API keys.

Do not paste secrets into prompts. Treat user-provided prompt text as session content.

The goal is not to make AI work risk-free. The goal is to make risk visible, bounded, and reviewable before it changes your repo.

⌘I