Control Tower Lite implements defense-in-depth for localhost multi-agent coordination:
| Layer | Mechanism |
|---|---|
| Authentication | HMAC-SHA256 tokens issued on registration |
| Authorization | Role-based access (architect/worker) |
| Identity | Sender must match authenticated token |
| Content | Blocks tool_use XML, function_call JSON, data: URIs |
| Rate Limiting | 10 messages per minute per peer |
| Network | Localhost only (127.0.0.1) |
This system is designed for localhost-only operation coordinating Claude Code sessions on a single machine. It is NOT designed for deployment on public networks.
- Prompt injection via inter-session messages
- Privilege escalation (worker → architect)
- Identity spoofing between peers
- Message flooding / denial of service
- Data URI / base64 payload injection
- Network-level attacks (system is localhost-only)
- Physical access to the machine
- Compromised Python runtime
If you discover a security issue, please open a GitHub issue with the security label. For sensitive findings, email the repository owner through GitHub's private messaging.
All message content is normalized (NFKC) and scanned for:
<tool_use>/</tool_use>XML tags"function_call"/"tool_calls"JSON patternsdata:*/;base64,URI patterns
Content matching these patterns is rejected with HTTP 400.