Agent Render

Public security notes

Security

agent-render is a static artifact viewer. Its core host boundary is simple: artifact data lives in the URL fragment, so the static host does not receive it as part of the initial page request.

What reaches the server

  • Static mode sends HTML, CSS, and JavaScript to the browser. Artifact payloads are not sent to the static host as part of the initial page request.
  • Fragment payloads stay out of the HTTP request path, query string, and request body for the static host.
  • The server can still receive normal static asset requests, IP address, user agent, referrer headers, and access logs from the hosting layer.

What can still leak

  • agent-render is zero-retention by host design. It is not a secret manager.
  • Artifact contents can still leak through copied URLs, browser history, bookmarks, screenshots, screen sharing, crash reports, extensions, referrer behavior, and future client-side analytics if someone adds them.
  • Do not put secrets, credentials, private keys, production tokens, or regulated data in artifact links.

Markdown and Mermaid

  • Markdown artifacts are rendered as GitHub-flavored Markdown and passed through rehype-sanitize before display.
  • React Markdown is configured with skipHtml, so raw HTML embedded in markdown is skipped instead of rendered.
  • Mermaid diagrams are only rendered from fenced mermaid code blocks. Mermaid runs with securityLevel: "strict" and falls back to showing source text if rendering fails.

CSP and security headers

  • The default static export does not require a runtime server. Configure Content-Security-Policy and other security headers at your static host or CDN.
  • Recommended headers include a restrictive Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, Permissions-Policy, and HSTS when served over HTTPS.
  • If you loosen CSP for a custom deployment, review markdown, Mermaid, fonts, images, and script sources together before publishing.

Known limitations

  • URL fragments are client-side, but they are still visible to the browser, local machine, extensions, and anyone who receives the link.
  • Self-hosted UUID mode is a different deployment mode and stores payloads server-side by design.
  • The viewer treats payloads as untrusted input, but the safest policy is to keep sensitive material out of links entirely.

Reports

Security contact

Report security issues through the GitHub repository. Use a private vulnerability report when available; otherwise open a minimal issue asking for a private contact path and do not include exploit details in public.

Open a private GitHub security advisory