Security model
Cascade’s design relies on a small set of invariants. Each one is a non-goal of the system. If any of them is violated, that’s a security bug.
Invariants
Section titled “Invariants”| Invariant | Why it matters |
|---|---|
| Cascade never merges PRs | A human always approves the final change. Cascade does not have merge permissions on any repo. |
Cascade only writes to paths in paths.allowed | Limits the blast radius if generated code is wrong. Deny rules in paths.disallowed always override. |
Cascade never modifies .github/, cascade.yaml, or team-memory/ | The agent cannot modify its own configuration or the project’s CI. |
Cascade only runs the configured test_command and git | No arbitrary shell access. The agent cannot exfiltrate or download arbitrary tools. |
| Source code, transcripts, and recordings never leave your machine and your configured LLM provider | No telemetry, no analytics pings, no third-party uploads. |
Credentials at ~/.config/cascade/config.yaml are stored mode 0600 | World-readable credentials would be a serious leak. |
Cascade never reads files outside the repo root and the explicit transcripts/ directory | The agent’s view of your filesystem is bounded. |
Where your data goes
Section titled “Where your data goes”| Data type | Destination |
|---|---|
| Source code, file contents | Your configured LLM provider only. |
| Meeting audio | Stays local with local-whisper or faster-whisper. Goes to OpenAI Whisper API only if you opt into the openai-api backend. |
| Transcripts and extracted stories | Local filesystem. Sent to your configured LLM provider for downstream stages. |
| Credentials | Local filesystem only. Never sent over the network except by the SDK you’ve configured (e.g., the Anthropic SDK sending your API key in its Authorization header). |
| Cascade telemetry | None. Cascade does not phone home. |
What Cascade cannot prevent
Section titled “What Cascade cannot prevent”- An LLM provider you configure could log, fine-tune on, or store the prompts you send it. That’s a property of your LLM provider, not Cascade. Read your provider’s privacy terms.
- A poorly-written
cascade.yamlcould allow Cascade to write to sensitive paths. Review yourpaths.allowedlist carefully. - A human approver could merge a bad PR. Cascade generates the change; the human still has to review it.
Reporting a vulnerability
Section titled “Reporting a vulnerability”If you find a way to violate any invariant on this page, that’s a security issue. Email security@thinknextsoftware.com with:
- A description
- Reproduction steps
- Impact assessment
You’ll get acknowledgment within 2 business days and a remediation timeline within 5.
See the SECURITY.md file in the main repo for the full policy.