-
-
Notifications
You must be signed in to change notification settings - Fork 1
Security Implementation
RenzMc edited this page Sep 6, 2025
·
1 revision
This guide details the security measures implemented in the Acode AI CLI Assistant Plugin to protect your data and privacy.
The plugin implements robust security measures to ensure your API keys and data remain protected while providing powerful AI-assisted coding capabilities.
All API keys are encrypted using Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM):
async _encrypt(value) {
const key = await this._importKey(this.secret);
const iv = crypto.getRandomValues(new Uint8Array(12)); // Initialization vector
const encrypted = await crypto.subtle.encrypt(
{
name: "AES-GCM",
iv: iv
},
key,
this._encode(value)
);
return { iv, encrypted };
}- Confidentiality: Data is encrypted and unreadable without the key
- Integrity: GCM mode provides authentication to detect tampering
- Performance: Efficient encryption suitable for mobile devices
Your passphrase is processed through PBKDF2 (Password-Based Key Derivation Function 2) with 100,000 iterations:
async _importKey(secret) {
const keyMaterial = await crypto.subtle.importKey(
"raw",
this._encode(secret),
{ name: "PBKDF2" },
false,
["deriveKey"]
);
const key = await crypto.subtle.deriveKey(
{
name: "PBKDF2",
salt: this._encode("salt"),
iterations: 100000,
hash: "SHA-256"
},
keyMaterial,
{ name: "AES-GCM", length: 256 },
true,
["encrypt", "decrypt"]
);
return key;
}- Strong Derivation: 100,000 iterations make brute-force attacks difficult
- Salt Usage: Random salt prevents rainbow table attacks
- SHA-256 Hashing: Cryptographically secure hashing algorithm
Encrypted API keys are stored in Acode's local storage with provider-specific keys:
// Save encrypted key
localStorage.setItem(provider, JSON.stringify(storageValue));
// Retrieve encrypted key
const storageValue = localStorage.getItem(provider);- Scoped Storage: Keys are isolated from other plugins
- No Plain Text: Keys are never stored without encryption
- Provider Separation: Each provider has its own storage key
Stored data includes both the encrypted key and initialization vector:
const storageValue = {
iv: Array.from(iv), // Initialization vector
encrypted: Array.from(new Uint8Array(encrypted)) // Encrypted data
};All API communications are enforced over HTTPS:
// Example API call
const response = await fetch("https://api.openai.com/v1/models", {
headers: {
Authorization: `Bearer ${apiKey}`,
"Content-Type": "application/json"
}
});- Data Encryption: All data in transit is encrypted
- Server Authentication: Ensures you're communicating with the real provider
- Integrity Protection: Prevents data modification during transmission
API requests use secure headers to prevent information leakage:
headers: {
Authorization: `Bearer ${apiKey}`, // Secure authorization
"Content-Type": "application/json" // Proper content type
}Sensitive data is handled carefully in memory:
// Secure text encoding/decoding
_encode(text) {
const encoder = new TextEncoder();
return encoder.encode(text);
}
_decode(buffer) {
const decoder = new TextDecoder();
return decoder.decode(buffer);
}Conversation history is also protected:
// History items are stored with context
const historyItem = {
prompt: userPrompt,
result: aiResponse
};The plugin collects no usage data or telemetry:
- Zero Tracking: No user behavior monitoring
- Local Processing: All data processing happens locally
- No Analytics: No third-party analytics services
Only necessary data is sent to AI providers:
// Context-aware prompts include only relevant information
const systemPromptWithContext = `AI assistant for Acode editor.
Current: ${currentFileName} (${currentFileExt}) at line ${cursorPos.row + 1}.
Can edit/create/delete files, run terminal commands. Use context in responses.`;All data transmission requires explicit user action:
- Manual Queries: Users must actively send queries
- Code Selection: Only selected code is processed
- Clear Indicators: Visual feedback when AI is processing
Multiple layers of security protect your data:
- Passphrase Protection: User-defined passphrase
- Key Derivation: PBKDF2 processing
- Data Encryption: AES-GCM encryption
- Secure Storage: Local storage isolation
Security measures control access to sensitive data:
- Passphrase Required: For encryption/decryption operations
- Provider Isolation: Each provider's keys are separate
- In-App Only: Keys cannot be accessed outside Acode
Users can manage their encryption passphrase:
// Passphrase is used for all encryption operations
const apiKeyManager = new APIKeyManager(passphrase);- Use a strong, unique passphrase
- Remember your passphrase (it cannot be recovered)
- Change passphrase periodically for enhanced security
The plugin supports key rotation:
// Delete old key
deleteAPIKey(provider) {
localStorage.removeItem(provider);
}
// Save new key
saveAPIKey(provider, apiKey) {
// Encrypts with current passphrase
}The plugin monitors API usage without compromising privacy:
- Token Counting: Tracks token consumption
- Request Logging: Logs request types locally
- Error Reporting: Reports errors without sensitive data
Regular security checks include:
- Encryption Validation: Ensures keys remain encrypted
- Storage Integrity: Verifies local storage protection
- Communication Security: Confirms HTTPS usage
- Wrong Passphrase: Cannot decrypt with incorrect passphrase
- Corrupted Storage: Data storage issues
- Browser Incompatibility: Older browsers may lack crypto support
- LocalStorage Limits: Storage quota exceeded
- Permission Issues: Device storage restrictions
- Data Corruption: Unexpected storage modifications
- Certificate Issues: SSL/TLS problems
- Network Restrictions: Corporate firewall interference
- Provider Changes: API endpoint modifications
To verify security implementation is working:
- Set a passphrase and API key
- Check that key is encrypted in storage
- Verify key can be decrypted with correct passphrase
- Confirm all API communications use HTTPS
- Strong Passphrases: Use complex, memorable passphrases
- Regular Updates: Keep plugin and Acode updated
- Secure Networks: Use trusted WiFi networks for API calls
- Key Management: Rotate API keys periodically
- Code Review: Regular security-focused code reviews
- Dependency Updates: Keep all packages updated
- Encryption Validation: Test encryption/decryption regularly
- Secure Defaults: Implement secure settings by default
- Local AI: Use Ollama for maximum privacy
- Custom Endpoints: Implement private API gateways
- Access Controls: Restrict plugin installation to approved users
- Audit Trails: Monitor plugin usage through Acode logs
If you encounter security issues:
- Check the Common Issues documentation
- Visit our GitHub Issues page
- Join our Discussions community for support
- Home
- Getting Started
- Usage Guides
- Advanced Features
- Developer Docs
- Troubleshooting