EDDI

https://github.com/labsai/EDDI/blob/main/docs/release-versioning.md

EDDI follows Semantic Versioning (MAJOR.MINOR.PATCH) as documented in docs/release-versioning.md. Supported versions are documented in SECURITY.md: v6.0.x receives active development, v5.6.x receives security fixes only, versions below 5.6 are end-of-life. Docker images are tagged with specific versions (e.g., labsai/eddi:6.0.1) for pinned deployments. The installer includes an 'eddi update' CLI command for easy upgrades. Major version transitions (5.x → 6.x) are documented with migration guidance. The project maintains backward compatibility for JSON configuration formats stored in MongoDB, ensuring existing agent configurations continue to work after upgrades.

https://github.com/labsai/EDDI/issues

https://github.com/labsai/EDDI/blob/main/SECURITY.md

SECURITY.md explicitly states (line 44): "We will credit you in the security advisory unless you prefer to remain anonymous." No external vulnerability reports have been received and resolved in the last 12 months — all security improvements have been internally identified and addressed. If selecting N/A is preferred, this criterion does not apply as there have been no external vulnerability reports to credit.

https://github.com/labsai/EDDI/blob/main/SECURITY.md

SECURITY.md documents a complete vulnerability response process:

1. Reporting channel: security@labs.ai (private email, NOT public GitHub issues)
2. Required information: Description, reproduction steps, impact assessment, optional suggested fix
3. Response timeline: Acknowledgment within 48 hours, initial triage within 7 days, status updates every 14 days, fix release based on severity (critical: ASAP, high: 30 days, medium: 90 days)
4. Coordinated disclosure policy: Private report → acknowledgment → fix development → fix release → security advisory published → reporter may publish
5. Scope: Clearly defines in-scope (core application, MCP, REST API, auth, Docker images, vault, SSRF protection) and out-of-scope (third-party LLM APIs, user config errors, upstream dependency vulns, social engineering, DoS via normal usage)
6. Credit: Reporters credited in security advisory unless they request anonymity
   Additionally, an incident response runbook is maintained at docs/incident-response.md covering GDPR 72-hour, CCPA 45-day, and HIPAA 60-day breach notification requirements.

https://github.com/labsai/EDDI/blob/main/CONTRIBUTING.md#code-style

EDDI identifies and documents its coding standards in CONTRIBUTING.md (Section: Code Style):

• Language: Java 25 with modern features (records, sealed classes, pattern matching)
• Framework: Quarkus + CDI — prefer @Inject over manual instantiation
• Line length: 120 characters max
• Checkstyle: Enforced via checkstyle.xml with rules for naming conventions, import hygiene, coding safety checks (EqualsHashCode, StringLiteralEquality, FallThrough), and modifier ordering
• Formatter: Eclipse-based formatter configuration (eclipse-formatter.xml) with auto-format via 'mvnw formatter:format'
• Architecture rules: No eval(), no ScriptEngine, no @JsonTypeInfo(use=Id.CLASS), stateless ILifecycleTask implementations, URL validation on all external calls
• Commit convention: Conventional Commits format (feat/fix/docs/test/refactor/chore/perf/security)

https://github.com/labsai/EDDI/blob/main/checkstyle.xml

EDDI automatically enforces coding standards through multiple FLOSS tools:

1. Checkstyle (maven-checkstyle-plugin 3.6.0): Runs during the 'validate' phase of every build. Configuration in checkstyle.xml enforces naming conventions (TypeName, MethodName, LocalVariableName, etc.), import hygiene (RedundantImport, UnusedImports), coding safety (EqualsHashCode, StringLiteralEquality, FallThrough, OneStatementPerLine), line length limits (150 chars), and modifier ordering.
2. Eclipse Formatter (formatter-maven-plugin 2.29.0): Auto-formats Java source files according to eclipse-formatter.xml during builds.
3. CodeQL: Runs on every push and PR via GitHub Actions (.github/workflows/codeql.yml) with security-extended queries, catching injection vulnerabilities, hardcoded credentials, and insecure patterns.
4. Maven Enforcer Plugin: Bans specific dependency groups (Jackson 3.x) to prevent accidental introduction of vulnerable transitive dependencies.
5. Trivy: Filesystem security scan on every CI run, blocking CRITICAL and HIGH severity CVEs.

Not applicable. EDDI is a Java application built with Maven. No native binaries are generated in the standard build process. The project compiles Java source to JVM bytecode, which is platform-independent. The optional GraalVM native-image build is handled by the Quarkus framework's native profile, which correctly passes through environment variables per GraalVM's conventions.

Not applicable. EDDI is a Java application. Java bytecode inherently preserves debugging information (line numbers, local variable names) unless explicitly stripped. The Maven compiler configuration includes '-parameters' flag to retain method parameter names at runtime. The JVM provides full stack traces with line numbers by default. Debug information is controlled at runtime via JVM flags (e.g., -g), not at build time.

Not applicable. EDDI is a single-module Maven project (one pom.xml at the root). There are no subdirectory modules, no multi-module reactor builds, and therefore no cross-dependencies between subdirectories. All source code lives under a single src/ directory compiled by a single Maven invocation.

EDDI's build is reproducible within practical limits for a JVM application. The project uses: (1) Maven with a locked dependency tree — all dependency versions are explicitly pinned in pom.xml (no version ranges), and the Quarkus BOM provides transitive dependency alignment. (2) Maven wrapper (mvnw/mvnw.cmd) bundled in the repository ensures the same Maven version across all environments. (3) The CI pipeline (.github/workflows/ci.yml) uses pinned tool versions: Java 25 (OpenJDK distribution), exact GitHub Actions versions pinned by SHA hash. (4) Docker builds use a deterministic Dockerfile with a specific base image. (5) Dependency verification through maven-enforcer-plugin bans unauthorized transitive dependencies. While bit-for-bit identical JARs across different build environments are not guaranteed (due to JVM compilation timestamp non-determinism), the functional output is identical given the same inputs.

https://github.com/labsai/EDDI/blob/main/docs/getting-started.md

EDDI provides multiple standard installation methods:

1. One-command installer: 'curl -fsSL .../install.sh | bash' (Linux/macOS) or 'iwr -useb .../install.ps1 | iex' (Windows) — interactive wizard sets up everything via Docker Compose.
2. Docker: 'docker pull labsai/eddi' + 'docker compose up' — standard Docker conventions.
3. Kubernetes: kubectl apply with Kustomize overlays or Helm charts ('helm install eddi ./helm/eddi').
4. Uninstall: 'docker compose down -v' removes all containers and volumes. The installer creates an 'eddi' CLI wrapper with 'eddi update' and uninstall support.
   All methods use widely-adopted conventions (Docker, Helm, kubectl) that operators are already familiar with.

Not applicable. EDDI is distributed as a Docker container image (labsai/eddi) and does not install files to end-user filesystems. The container's internal file layout follows standard Quarkus/Java conventions. For Kubernetes deployments, Helm charts and Kustomize overlays follow standard Kubernetes resource naming and namespace conventions.

https://github.com/labsai/EDDI/blob/main/CONTRIBUTING.md#development-setup

Developers can set up a complete development environment in under 5 minutes:

1. Clone: 'git clone https://github.com/labsai/EDDI.git'
2. Start MongoDB: 'docker run -d --name mongodb -p 27017:27017 mongo:7' (or let Quarkus Dev Services auto-provision it)
3. Run: './mvnw compile quarkus:dev' — starts with hot-reload, continuous testing, and Dev UI
   No global tool installation required — Maven wrapper (mvnw) is bundled. IDE setup instructions for IntelliJ IDEA and VS Code are documented. The developer quickstart guide (docs/developer-quickstart.md) includes a full walkthrough of creating and testing an agent via the API.

https://github.com/labsai/EDDI/blob/main/pom.xml

All external dependencies are declared in pom.xml, the standard Maven Project Object Model format. This is a computer-processable XML format that lists every dependency with groupId, artifactId, version, and scope. The Quarkus BOM (Bill of Materials) manages transitive dependency versions. The project also generates a THIRD-PARTY.txt file listing all runtime dependencies and their licenses via the license-maven-plugin (activated with -Plicense-gen).

https://github.com/labsai/EDDI/blob/main/.github/dependabot.yml

EDDI monitors external dependencies through multiple mechanisms:

1. Dependabot (.github/dependabot.yml): Weekly automated dependency update PRs for both Maven dependencies and GitHub Actions versions, with intelligent grouping (Quarkus, LangChain4j, other).
2. Trivy Security Scan (CI job 'trivy-scan'): Runs aquasecurity/trivy-action on every push, scanning the filesystem for CRITICAL and HIGH severity CVEs with exit-code 1 (fails the build).
3. GitHub Dependency Review (.github/workflows/dependency-review.yml): Blocks PRs that introduce vulnerable or incompatibly-licensed dependencies.
4. Maven Enforcer Plugin: Bans known-vulnerable dependency groups (e.g., Jackson 3.x tools.jackson.* namespace blocked due to CVE-2026-29062).
5. Manual CVE overrides in pom.xml: Dependencies are explicitly overridden when upstream fixes are not yet available (e.g., jinjava pinned to 2.8.3 for CVE-2026-25526, reactor-netty-http pinned to 1.2.8 for CVE-2025-22227).

EDDI uses Maven's standard dependency management which makes updating components straightforward: change the version number in pom.xml, run 'mvnw clean verify' to validate compatibility, and commit. The Quarkus BOM manages the majority of transitive dependencies, so a single version bump updates dozens of aligned libraries. Dependabot automatically proposes version updates weekly via pull requests. No convenience copies of external libraries exist — all dependencies are fetched from Maven Central.

EDDI actively avoids deprecated APIs:

• Java 25 (latest): Uses modern language features (records, sealed classes, pattern matching, virtual threads).
• Quarkus 3.34.3 (latest LTS): Current framework version, actively tracking LTS releases.
• LangChain4j 1.13.0 (latest): Current LLM integration library.
• Migration from deprecated APIs is tracked: OGNL was replaced with PathNavigator, Infinispan was replaced with Caffeine, MongoDB async driver was replaced with sync driver, Lombok was removed in favor of native Java records.
• The project has no Nashorn/Rhino usage in production (only in test scope for calculator validation).

The CI/CD pipeline (.github/workflows/ci.yml) runs automated tests on every push to main, every pull request, and every tag:

• Job 'build-and-test': Executes 'mvnw clean verify -DskipITs' — runs all unit tests (~4,900+) with JaCoCo code coverage reporting. Results are uploaded as artifacts.
• Job 'integration-test': Executes 'mvnw verify -DskipITs=false' — runs integration tests using Testcontainers (Docker-based MongoDB/PostgreSQL) for end-to-end API contract testing (~250+ integration tests).
• Job 'smoke-test': After Docker build, starts the container image with MongoDB and verifies /q/health/ready and /openapi endpoints respond correctly.
  Test results and coverage reports are uploaded as build artifacts with 14-day retention.

EDDI's contribution guidelines (CONTRIBUTING.md) explicitly mandate: "Write tests — new features require tests; bug fixes should include a regression test." This policy is enforced through code review on all pull requests. The project maintains 4,900+ unit tests and 250+ integration tests. Recent bug fixes demonstrably include regression tests — for example: UrlValidationUtilsExtendedTest covers SSRF bypass attempts, SlackChannelRouterTest covers routing edge cases, and PostgresAgentUseCaseIT covers database-specific regressions. The CI pipeline must pass before any PR can be merged, ensuring regression tests are validated automatically.

Statement (instruction) coverage is 80.64% (97,856/121,356), measured by JaCoCo across merged unit + integration test suites. Coverage is enforced in CI via a JaCoCo verify goal with an 80% minimum threshold — builds fail if coverage drops below. See PR with coverage report: https://github.com/labsai/EDDI/pull/427

https://github.com/labsai/EDDI/blob/main/CONTRIBUTING.md#pull-request-process

CONTRIBUTING.md contains a formal written policy requiring tests for new functionality. Under "Pull Request Process → Workflow" (step 3): "Write tests — new features require tests; bug fixes should include a regression test." Under "What the CI Checks," the Build + Tests gate ('mvnw clean verify' with Java 25) is marked as "✅ Yes" (must pass). JaCoCo code coverage is reported on every build. Additionally, AGENTS.md (the AI coding assistant instruction file, which governs all development sessions) mandates: "Each commit must build: Run ./mvnw test before committing. Never commit broken code."

https://github.com/labsai/EDDI/blob/main/CONTRIBUTING.md#pull-request-process

The documented instructions for change proposals (CONTRIBUTING.md) explicitly include the testing policy:

1. Pull Request Process step 3: "Write tests — new features require tests; bug fixes should include a regression test"
2. Pull Request Process step 4: "Run the full build locally: ./mvnw clean verify -DskipITs"
3. PR Guidelines: "One concern per PR — don't mix refactoring with features"
4. CI Checks table documents required gates: Build + Tests (✅ must pass), JaCoCo (📊 report), CodeQL (✅ must pass)
   The pull request template (.github/PULL_REQUEST_TEMPLATE.md) also includes a checklist for test verification.

EDDI enforces maximally strict warning policies through multiple layers:

1. Checkstyle (FLOSS static analysis): Runs automatically during the Maven 'validate' phase on every build. The configuration (checkstyle.xml) enforces 20+ rules including naming conventions, import hygiene, coding safety checks (EqualsHashCode, SimplifyBooleanExpression, StringLiteralEquality, FallThrough, OneStatementPerLine, MultipleVariableDeclarations), modifier ordering, line length, and file length limits.

2. CodeQL (FLOSS semantic analysis): Runs on every push and PR with 'security-extended' query suite, which is the most comprehensive FLOSS security analysis available for Java. It detects injection vulnerabilities, hardcoded credentials, insecure cryptography, and data flow issues.

3. Trivy (FLOSS vulnerability scanner): Scans the entire filesystem on every CI run with severity filter CRITICAL,HIGH and exit-code 1, meaning the build fails on any high-severity CVE.

4. Maven Enforcer Plugin: Actively bans known-vulnerable dependency groups (Jackson 3.x) from the dependency tree, preventing silent reintroduction via transitive dependencies.

5. Java compiler: Configured with '-parameters' flag for maximum runtime reflection metadata. While explicit -Xlint flags are not configured, the Quarkus framework's compiler settings are used which enable standard Java warnings.

6. JaCoCo coverage gate: The build fails if line coverage drops below 80%, ensuring test coverage cannot regress silently.

The project treats compiler warnings and static analysis findings as actionable items — recent work sessions specifically addressed CodeQL log-injection warnings, unused imports, and type-safety issues across the codebase.

EDDI implements secure design principles as a core architectural pillar (docs/project-philosophy.md, Pillar 4: "Security & Compliance as Architecture, Not Afterthought"):

1. Defense in depth: Multiple independent security layers — SSRF URL validation, sandboxed expression evaluation, rate-limited tool execution, input validation, TLS encryption, Keycloak authentication, and security headers (X-Content-Type-Options, X-Frame-Options, Content-Security-Policy).

2. Least privilege: OAuth 2.0 role-based access control (admin/editor/viewer roles via Keycloak). Production conversation endpoints are public; all management APIs require authentication. The SafeHttpClient validates URLs before any outbound request, blocking private IPs, link-local addresses, and cloud metadata endpoints.

3. No dynamic code execution: This is architecturally enforced — there is no eval(), no ScriptEngine, no reflection-based code execution in production code. Math expressions use a recursive-descent SafeMathParser that recognizes only numeric literals and a fixed function allowlist. Custom logic runs in external MCP servers outside the EDDI security perimeter.

4. Secure defaults: Authentication enforcement is checked at startup (AuthStartupGuard fails startup if OIDC is disabled in production without explicit opt-out). Secrets are envelope-encrypted (PBKDF2 + AES-256-GCM) by default. Agent exports automatically scrub secrets. Tool rate limiting and cost tracking are enabled by default.

5. Fail securely: The ConversationCoordinator ensures sequential processing per conversation to prevent race conditions. Queue capacity exhaustion returns HTTP 429 (not 500). Failed pipeline task output is marked as uncommitted (hidden from LLM context) via the Memory Policy commit flags system.

6. Input validation (allowlist): UrlValidationUtils validates all URLs against an allowlist of allowed schemes (http/https only), blocks private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, fd00::/8, fe80::/10, ::1), and blocks cloud metadata hostnames (169.254.169.254, metadata.google.internal).

7. Separation of concerns: Secrets are stored separately from configuration via vault references (${eddivault:key-name}). API keys never appear in agent configurations in plaintext.

EDDI's cryptographic mechanisms do not depend on algorithms with known serious weaknesses:

1. Secrets Vault: Uses AES-256-GCM for data encryption (symmetric, authenticated encryption with associated data). Key derivation uses PBKDF2WithHmacSHA256 with per-deployment random salt and configurable iteration count. Each secret gets a unique Data Encryption Key (DEK) wrapped by a Key Encryption Key (KEK) derived from the master passphrase — envelope encryption pattern.

2. Audit Ledger: Uses HMAC-SHA256 for tamper-evident audit chain integrity. Each audit entry includes the HMAC of the previous entry, creating a hash chain.

3. Agent Signing: Uses Ed25519 (Curve25519) for cryptographic agent identity — digital signatures on audit entries.

4. Password hashing: Delegated to Keycloak, which defaults to bcrypt with configurable work factor.

5. TLS: Java 25's built-in TLS implementation defaults to TLS 1.3 / TLS 1.2 minimum. No manual cipher suite configuration that could downgrade security.

No usage of SHA-1 for security purposes, no MD5, no DES, no RC4, no CBC mode in SSH, no ECB mode for encryption. SHA-256 is used for tool caching keys (non-security context) and HMAC chains (security context).

EDDI supports cryptographic algorithm agility at the infrastructure level:

1. Vault encryption: While AES-256-GCM is the current default, the VaultSaltManager architecture separates key derivation from encryption, allowing algorithm substitution without changing the data model.
2. TLS: Handled by the JVM's TLS implementation which supports multiple cipher suites including TLS 1.3 suites (TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256) and TLS 1.2 suites. Cipher suite selection is configurable via standard Quarkus/JVM properties.
3. HMAC: The audit ledger's HMAC algorithm is implemented via Java's Mac class, which supports HmacSHA256, HmacSHA384, HmacSHA512, and others — switchable by configuration.
4. Agent signing: Ed25519 keys are generated via Java's KeyPairGenerator, which also supports RSA, EC, and other algorithms.

https://github.com/labsai/EDDI/blob/main/docs/secrets-vault.md

EDDI enforces strict separation of credentials from other information:

1. Secrets Vault: All sensitive credentials (API keys, tokens, passwords) are stored in an envelope-encrypted vault separate from configuration. Agent configurations reference secrets via vault references ${eddivault:key-name}) which are resolved at runtime.
2. Environment variables: Runtime configuration (database URLs, Keycloak endpoints) is externalized via environment variables and .env files, not compiled into the application.
3. No recompilation needed: All credentials can be updated at runtime — vault entries via REST API, environment variables via container restart, Keycloak credentials via Keycloak admin UI.
4. Export sanitization: When agents are exported (ZIP or sync), secrets are automatically scrubbed from the export payload. The importing instance must re-provision secrets in its own vault.
5. CI/CD secrets: GitHub Actions secrets (DOCKER_USERNAME, DOCKER_PASSWORD, REDHAT_API_TOKEN) are stored in GitHub's encrypted secrets store, separate from source code.

https://github.com/labsai/EDDI/blob/main/docs/security.md#tls-requirements

EDDI supports and encourages secure protocols for all network communications:

1. External API calls: All LLM provider integrations (OpenAI, Anthropic, Google, Azure, AWS, etc.) use HTTPS exclusively. UrlValidationUtils blocks non-HTTP/HTTPS schemes (file://, ftp://, gopher://, jar://).
2. TLS termination: The docs/security.md TLS Requirements section documents both reverse-proxy TLS termination (recommended production pattern) and direct Quarkus TLS configuration via quarkus.http.ssl.* properties.
3. Database connections: MongoDB and PostgreSQL connection strings support TLS natively. The compliance documentation (docs/hipaa-compliance.md) requires encrypted database connections for regulated deployments.
4. No insecure protocols enabled by default: HTTP is the only unencrypted protocol available, intended for localhost development or behind a TLS-terminating reverse proxy. FTP, telnet, and other insecure protocols are not supported.

EDDI runs on Java 25, which defaults to TLS 1.3 and supports TLS 1.2 as a minimum. The Quarkus framework (3.34.3) uses the JVM's built-in TLS implementation via Vert.x/Netty, which enforces TLS 1.2+ by default. TLS 1.0 and TLS 1.1 are disabled in modern JVMs. No configuration in the project downgrades the minimum TLS version. For outbound connections to LLM providers, Java's HttpClient defaults to TLS 1.3 with TLS 1.2 fallback.

EDDI performs TLS certificate verification by default on all outbound HTTPS connections. Java's built-in HttpClient (used for LLM API calls via langchain4j) and the Vert.x web client (used for HTTP call extensions) both verify server certificates against the JVM's default trust store (cacerts) by default. No 'trustAll', 'disableHostnameVerification', or 'InsecureTrustManagerFactory' configuration exists in the codebase. The SafeHttpClient wrapper adds additional validation (redirect following, URL re-validation) but does not bypass certificate verification.

Java's HttpClient and Vert.x web client both complete the TLS handshake (including certificate verification) before sending any HTTP headers or request bodies. This is inherent to the TLS protocol implementation in the JVM — application data (including HTTP headers with cookies, authorization tokens, and other private information) is only transmitted after the TLS connection is established and the server certificate is verified. EDDI does not implement custom TLS handling that could bypass this ordering.

All Docker image releases from v6.0.2 onward (April 2026+) are cryptographically signed using Sigstore cosign with keyless OIDC signing in GitHub Actions CI. Signatures are stored as OCI artifacts alongside the image on Docker Hub and recorded in the Rekor public transparency log. No private signing keys exist on the distribution site — signing uses ephemeral certificates issued by Fulcio via GitHub Actions OIDC identity. Users verify with: cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/labsai/EDDI/.github/workflows/ci.yml labsai/eddi:<tag>. See: https://github.com/labsai/EDDI/blob/main/docs/release-signing.md

Release process documents that important version tags should be created with git tag -s. From v6.0.2 onward, the primary release integrity guarantee is provided by Sigstore cosign keyless signing of Docker images in CI, which cryptographically binds every release to the specific GitHub Actions workflow that built it. See: https://github.com/labsai/EDDI/blob/main/docs/release-signing.md and https://github.com/labsai/EDDI/blob/main/docs/release-versioning.md#release-signing

https://github.com/labsai/EDDI/blob/main/docs/security.md

EDDI validates inputs from untrusted sources using allowlist approaches:

1. URL validation (UrlValidationUtils): All URLs from LLM tool arguments are validated against an allowlist of permitted schemes (http, https only), with blocklists for private IP ranges, cloud metadata endpoints, and internal hostnames. Validation occurs BEFORE any network request.
2. Math expression evaluation (SafeMathParser): A recursive-descent parser that accepts only numeric literals, a fixed set of arithmetic operators, and an allowlisted set of math functions (sqrt, sin, cos, etc.). Anything not in the grammar is rejected with a parse error.
3. JSON schema validation: Input configurations are validated against expected schemas.
4. Path traversal prevention: PathNavigator (replacing OGNL) uses a safe property path traversal mechanism that prevents arbitrary object graph navigation.
5. OGNL/ScriptEngine elimination: All dynamic expression evaluation engines have been removed from the codebase and replaced with safe alternatives.
6. Content-Type strict matching: HttpCallExecutor uses strict equals() (not startsWith) for Content-Type checking to prevent type confusion attacks.

EDDI implements multiple hardening mechanisms:

1. Security headers: X-Content-Type-Options (nosniff), X-Frame-Options (DENY), Content-Security-Policy configured out of the box via Quarkus HTTP filter.
2. SSRF protection: SafeHttpClient wraps all outbound HTTP calls with URL re-validation after redirects, preventing SSRF via redirect chains.
3. Rate limiting: Token-bucket rate limiter on all LLM tool calls prevents resource exhaustion.
4. Cost tracking: Per-conversation and per-tenant budget caps prevent runaway LLM costs.
5. Queue capacity management: ConversationCoordinator throws RejectedExecutionException (HTTP 429) when queue capacity is exhausted, preventing unbounded resource consumption.
6. Log injection protection: All user-provided values in log statements are sanitized to prevent log forging.
7. Dependency banning: Maven Enforcer Plugin blocklists known-vulnerable dependency groups.
8. Startup guards: AuthStartupGuard fails startup if production runs without authentication. ComplianceStartupChecks warns about missing TLS and database encryption.
9. No dynamic code execution: Architecturally eliminated — no eval(), no ScriptEngine, no reflection-based execution.
10. Memory safety: Java provides automatic memory management (garbage collection) and bounds checking, eliminating buffer overflow and use-after-free vulnerabilities.

https://github.com/labsai/EDDI/blob/main/docs/security-assurance-case.md

EDDI provides a comprehensive security assurance case in docs/security-assurance-case.md that addresses:

1. Trust boundary architecture: 5 clearly defined boundaries with ASCII diagram — Authentication Boundary (Keycloak OIDC, AuthStartupGuard), Application Boundary (REST layer, input validation, rate limiting), Pipeline Sandbox Boundary (ILifecycleTask pipeline, SafeMathParser, PathNavigator, UrlValidationUtils), Persistence Boundary (MongoDB/PostgreSQL, Secrets Vault with envelope encryption, tamper-evident Audit Ledger), External Call Boundary (SafeHttpClient, SSRF guard, redirect re-validation).
2. Threat model: 8 specific threats with mapped countermeasures — prompt injection → SSRF (UrlValidationUtils + SafeHttpClient), code injection (no eval/ScriptEngine, SafeMathParser), secret exfiltration (envelope encryption, export scrubbing), cross-tenant leakage (data-layer tenant isolation, memory visibility enforcement), log injection (sanitized output, CodeQL CWE-117), supply chain attacks (Dependabot + Trivy + Maven Enforcer + SHA-pinned Actions), authentication bypass (AuthStartupGuard startup check), resource exhaustion (rate limiting + cost tracking + queue capacity limits).
3. Cryptographic design table: AES-256-GCM (vault), PBKDF2WithHmacSHA256 600K iterations (key derivation), HMAC-SHA256 (audit chain), Ed25519 (agent signing). No weak algorithms (no SHA-1, MD5, DES, RC4, ECB, CBC in security paths).
4. CWE countermeasure matrix: 10 CWEs mapped to specific implementations (CWE-918, CWE-94, CWE-200, CWE-117, CWE-400, CWE-502, CWE-326, CWE-798, CWE-306, CWE-862).
5. Compliance alignment: EU AI Act (audit ledger), GDPR (cascading erasure), CCPA (data subject requests), HIPAA (encryption at rest/transit).
6. Secure development practices: Static analysis (CodeQL security-extended, Trivy, Checkstyle, Maven Enforcer, Dependency Review), testing (2,400+ unit tests, 250+ integration tests, security-specific test suites), CI/CD security (SHA-pinned Actions, Docker Hub org secrets, preflight certification).

https://github.com/labsai/EDDI/blob/main/.github/workflows/ci.yml

EDDI uses multiple FLOSS static analysis tools that look for common vulnerabilities:

1. CodeQL (GitHub's semantic code analysis engine, FLOSS): Runs on every push and pull request via .github/workflows/codeql.yml (also embedded in ci.yml as job 'codeql'). Configured with the 'security-extended' query suite — the most comprehensive security analysis pack available for Java. This detects: SQL injection, command injection, path traversal, XSS, hardcoded credentials, insecure cryptography, log injection (CWE-117), SSRF, deserialization vulnerabilities, and data flow analysis for taint tracking. Results are uploaded to GitHub Security tab.

2. Trivy (Aqua Security, FLOSS): Runs as CI job 'trivy-scan' using aquasecurity/trivy-action. Performs filesystem scanning for known CVEs in dependencies, with CRITICAL and HIGH severity filter and exit-code 1 (build-breaking). Complementary to CodeQL — Trivy focuses on dependency CVEs while CodeQL focuses on source code patterns.

3. Checkstyle (FLOSS): While primarily a style checker, several rules have security implications: EqualsHashCode prevents subtle equality bugs, StringLiteralEquality prevents == vs .equals() errors, FallThrough prevents accidental switch fallthrough.

4. GitHub Dependency Review (.github/workflows/dependency-review.yml): Blocks pull requests that introduce dependencies with known vulnerabilities or incompatible licenses.

Recent actions taken based on static analysis findings: CodeQL log-injection warnings in ConversationCoordinator classes were addressed by sanitizing all user-provided values in log statements. Trivy findings led to explicit CVE override pins in pom.xml (jinjava for CVE-2026-25526, reactor-netty-http for CVE-2025-22227).

Not applicable. EDDI is written entirely in Java, which is a memory-safe language. Java provides automatic memory management through garbage collection, bounds checking on all array and buffer accesses, and type safety enforcement through the JVM. There is no C, C++, or other memory-unsafe language code in the project. The Java runtime prevents buffer overflows, use-after-free, double-free, and other memory safety vulnerabilities at the language level.