Skip to main content
GitAgent is designed for deployment in regulated environments. This page covers data handling, access controls, audit logging, and self-hosting considerations.

Data handling

What GitAgent processes

GitAgent processes:
  • The user’s input (the prompt sent to the agent)
  • Skill inputs and outputs (data passed to and returned from your skills)
  • LLM prompts and responses (sent to your configured model provider)
  • Memory contents (if memory is enabled)
GitAgent does not:
  • Send data to Lyzr’s servers unless you explicitly configure the Lyzr memory provider or LangShip telemetry
  • Store any data without explicit configuration
  • Log sensitive data unless telemetry is enabled

Data residency

GitAgent runs entirely on your infrastructure. By default:
  • No data leaves your environment
  • Model API calls go directly from your infrastructure to your chosen model provider
  • Memory is stored locally or in a database you control
If you use the Lyzr memory provider (provider: lyzr), memory data is stored in Lyzr’s cloud. For full data residency, use provider: local or a custom memory backend connected to your own database.

Access control

Filesystem access

Skills run as the same OS user as the GitAgent process. Restrict filesystem access using OS-level permissions. For tighter control, set allowed paths in agent.yaml: 
tools:
  file_ops:
    allowed_paths:
      - ./data/
      - /tmp/agent-workspace/
    deny_paths:
      - /etc/
      - ~/.ssh/
      - ~/.aws/

Outbound HTTP

Restrict which URLs skills can call: 
tools:
  http:
    allowed_domains:
      - api.openai.com
      - api.github.com
      - internal.example.com
    block_private_ips: true    # block calls to 10.x, 172.16.x, 192.168.x

Skill-level permissions

Require confirmation before executing sensitive skills: 
@skill(
    name="delete_record",
    description="Delete a record from the database",
    requires_confirmation=True    # prompts user before executing
)
def delete_record(record_id: str) -> bool:
    ...

Audit logging

Enable structured audit logs for all skill calls: 
audit:
  enabled: true
  path: ./logs/audit.jsonl
  include:
    - run_id
    - timestamp
    - skill_name
    - skill_input
    - skill_output
    - user_id
    - session_id
Each log entry is a JSON object: 
{
  "timestamp": "2024-01-15T10:30:00Z",
  "run_id": "run-abc123",
  "session_id": "session-xyz",
  "user_id": "user-456",
  "skill_name": "send_email",
  "skill_input": {"to": "alice@example.com", "subject": "Hello"},
  "skill_output": {"sent": true, "message_id": "msg-789"},
  "duration_ms": 342
}
For long-term audit retention, forward logs to your SIEM or log management system.

PII and data redaction

Redact sensitive patterns from skill inputs/outputs before they’re logged or sent to telemetry: 
redaction:
  enabled: true
  patterns:
    - name: email
      pattern: "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b"
    - name: ssn
      pattern: "\\b\\d{3}-\\d{2}-\\d{4}\\b"
    - name: credit_card
      pattern: "\\b(?:\\d[ -]?){13,16}\\b"
  replacement: "[REDACTED]"
  apply_to:
    - audit_logs
    - telemetry
    - memory       # redact before writing to memory

Input validation

Block unsafe inputs at the agent boundary using hooks: 
# hooks/input_guard.py
from gitagent import hooks, HookError

BLOCKED_PATTERNS = [
    "ignore previous instructions",
    "you are now",
    "<script>",
    "DROP TABLE",
]

@hooks.before_run
def block_prompt_injection(context):
    lower = context.input.lower()
    for pattern in BLOCKED_PATTERNS:
        if pattern.lower() in lower:
            raise HookError("Input blocked by security policy")

Environment secrets

Never put secrets directly in agent.yaml. Use environment variables: 
# agent.yaml — safe
model:
  api_key: ${OPENAI_API_KEY}

tools:
  web_search:
    api_key: ${SERPER_API_KEY}
For production deployments, use a secrets manager (AWS Secrets Manager, HashiCorp Vault, Kubernetes Secrets) to inject environment variables rather than .env files.

Self-hosting checklist

For production self-hosted deployments:
  • Run GitAgent as a dedicated non-root OS user
  • Set tools.http.block_private_ips: true to prevent SSRF
  • Configure tools.file_ops.allowed_paths to restrict filesystem access
  • Enable audit logging with audit.enabled: true
  • Use a secrets manager for API keys
  • Enable telemetry to a self-hosted LangShip instance for observability
  • Set execution.timeout to bound maximum run time
  • Set execution.max_iterations to bound the agent loop
  • Disable code_exec unless explicitly needed