← Back to Automac IT
Compliance and Security Review Guide
For IT administrators, security reviewers, and compliance officers evaluating Automac IT for organizational use. Every claim is verified against source code. Repository:
github.com/beautifulplanet/Automac-IT1. Data Flow Overview
User's Windows PC
▼
User Types
Plain English message
Helpdesk Webview
Conversation UI
Tool Executor
Runs PowerShell locally
▼
User Message
Sent as-is (not scrubbed)
PII Scrubber
Raw output → scrubPII() → scrubbed output
▼
Conversation Array
System prompt + user messages + scrubbed tool output
▼
Session Logger
Local .md file (scrubbed)
▼
HTTPS → AI Provider
GitHub Copilot or Anthropic
▼
AI Receives
- System prompt (static)
- User messages (unscrubbed)
- Tool output (scrubbed)
AI Does NOT Receive
- License key
- Session logs
- Telemetry
Key Data Flows
| Data | Source | Scrubbed? | Destination |
|---|
| User typed messages | User keyboard | No | AI provider, local log (scrubbed in log) |
| Tool output (raw) | PowerShell | N/A | User's webview only |
| Tool output (to AI) | Scrubber output | Yes | AI provider |
| Session log entries | All conversation | Yes | Local file only |
| License key | User config | N/A | License server only |
| Extension settings | VS Code settings | N/A | Local only |
2. Threat Model Summary (STRIDE)
Spoofing
- Threat: Malicious tool output injects fake AI responses via bracket patterns.
- Mitigation: Input sanitization strips
[TOOL_CALL:...], [TOOL_RESULT:...], [TOOL_ERROR:...], [USER_DENIED:...], and [LICENSE_REQUIRED:...] from all tool output.
Tampering
- Threat: File operations move/delete unintended files.
- Mitigation: Preview-before-apply, confirmation banners, persistent JSON rollback log, blocked system paths, crash recovery on startup.
- Threat: Session log files tampered with.
- Mitigation: Logs are convenience records, not security evidence. No integrity guarantees claimed.
Repudiation
- Threat: User denies approving a destructive action.
- Mitigation: Session logs record all tool calls with
actionAllowed flag and timestamps. Logs are scrubbed but record the action and decision.
Information Disclosure
- Threat: PII leaks to AI provider via unscrubbed user messages.
- Mitigation: System prompt “NEVER ASK FOR” rule prevents AI from soliciting sensitive data.
detectPII() warns when PII is detected in typed input. Walkthrough educates user.
- Residual risk: User may intentionally or accidentally type PII. This is a design trade-off — scrubbing user input would change message meaning.
Denial of Service
- Threat: AI enters infinite tool-call loop.
- Mitigation:
toolLoopCount counter with configurable limit. Loop triggers forced stop.
Elevation of Privilege
- Threat: AI bypasses tool restrictions via custom PowerShell.
- Mitigation: 40+ blocked command patterns including sub-shell spawning, internet access, user account manipulation, disk formatting, and boot record modification. Protected process and service lists.
3. What the AI Provider Cannot Receive
Identity Information
- Windows username (in paths and standalone)
- Computer hostname
- Domain\account pairs (excluding system accounts)
- Email addresses
- Social Security Numbers
- GUIDs
Network Information
- Private IPv4 addresses (192.168.x.x, 10.x.x.x, 172.16-31.x.x)
- Public IPv4 addresses
- IPv6 addresses
- MAC addresses
Secrets and Credentials
- Bearer tokens
- API key/value pairs (value 8+ characters)
- AWS access keys (AKIA/ASIA prefix)
- Stripe API keys
- GitHub tokens (ghp_, gho_, ghs_, ghu_, ghr_)
- JSON Web Tokens
- Database connection strings
- Azure storage account keys
- PEM-encoded private keys
What Is NOT Scrubbed
- Full legal names (unless matching Windows username)
- Physical/mailing addresses
- Phone numbers
- Medical terminology
- Non-English patterns
- Usernames shorter than 4 characters (only scrubbed in context)
4. Local Logging
Session Logs
| Property | Detail |
|---|
| Format | Markdown files (.md), one per session |
| Location | User-chosen local folder (automacit.sessions.folder setting) |
| Naming | YYYY-MM-DD_ticketId_title.md |
| Content | Timestamp, role, text, tool call details, action approval status |
| Scrubbing | All text passed through scrubPII() before writing |
| Truncation | Tool output truncated to 2,000 characters in logs |
| Network restriction | UNC paths blocked — local drives only |
| Retention | No automatic deletion. User manages their own folder |
| Integrity | No checksums or tamper detection. Convenience records |
Audit Log (v0.9.1)
| Property | Detail |
|---|
| Format | JSON files, one per session |
| Location | %APPDATA%/automac-it/audit/ |
| Content | Timestamp, matched scrub rule name, match count, session ID |
| Does NOT contain | The actual PII value — only that a pattern was matched |
| Retention | Files older than 30 days auto-deleted on startup |
| Purpose | Shows “what was hidden” per session via Safety Helper panel |
5. PII Scrubbing Methodology
Implementation
- Engine: TypeScript regex-based pattern matching (no ML, no external libraries).
- Invocation point:
scrubPII() on all tool output before AI conversation. redact() in SessionLogger on all text before writing to disk.
- Detection-only mode:
detectPII() returns PiiMatch[] without modifying text. Used for user input warnings.
Pattern List
20 static rules + 2–3 dynamic rules (hostname, username, short-username). See Section 3 for the complete categorized list.
Processing Order
Rules are applied sequentially in array order. More specific rules appear first and take priority when patterns overlap.
Performance
- Rules compiled once and cached (lazy initialization).
- Cache reset via
_resetScrubberCache() for test isolation.
- No measurable impact on typical output (< 1ms for output under 10KB).
Known Limitations
- False positives: Version numbers like
10.0.19041 may be partially matched by IPv4 rules. Mitigated by negative lookahead but edge cases remain.
- False negatives: Data not matching any pattern passes through unscrubbed.
- Short usernames: Under 4 characters, only scrubbed in context (
\Ed, @Ed, User: Ed).
- Encoding: UTF-8 strings only. Binary data not handled.
- One-way: Scrubbed text cannot recover original values.
User Controls
- Scrubbing is always on by default.
- Users informed via first-run walkthrough that scrubbing is best-effort.
- Safety Helper panel shows per-session scrub summary.
6. System Prompt Security
Three Modes
| Mode | Capability | When Used |
|---|
| Action | Full tool access, auto-execution | Default mode |
| Guided | Full tool access, asks before every tool | User preference |
| Chat-only | No tools, advice only | User preference |
Hard Rules in All Modes
All three system prompts contain the “NEVER ASK FOR” directive: never ask for passwords, PINs, SSNs, credit card numbers, bank account details, medical information, login credentials, or government-issued ID numbers.
Injection Defense
Tool output is sanitized to remove bracket-pattern state markers before reaching the AI conversation. Blocked: [TOOL_CALL:...], [TOOL_RESULT:...], [TOOL_ERROR:...], [USER_DENIED:...], [LICENSE_REQUIRED:...].
7. Tool Restrictions Summary
Protected Processes (cannot be killed)
System-critical (csrss, lsass, winlogon, services, smss, wininit), display (dwm, explorer), security (msmpeng, securityhealthservice), drivers (nvlddmkm, audiodg), and the extension itself (code, automacservice).
Protected Programs (cannot be uninstalled)
Windows components (Defender, Update, Installer), runtimes (.NET, Visual C++), GPU drivers (NVIDIA, AMD, Intel), audio drivers (Realtek), antivirus products, and Automac IT.
Protected Services (cannot be restarted)
System-critical (lsass, services, rpcss, dcomlaunch), security (windefend, mpssvc), infrastructure (eventlog, cryptsvc, trustedinstaller), and automacservice.
Blocked PowerShell Commands (40+ patterns)
Disk destruction, internet access, user account manipulation, script execution, sub-shell spawning, boot record modification, encoded command injection, and system file deletion. Full list in source code (tools.ts).
File System Restrictions
find_large_files restricted to C:\Users, temp directories, and non-C drives.Remove-Item blocked for \Windows, \System32, \Program Files.Remove-Item -Recurse -Force blocked globally.
8. Deployment Considerations
Network Requirements
- HTTPS to AI provider (GitHub Copilot or Anthropic API) — the only outbound traffic.
- HTTPS to license server — license validation on first activation only.
- No other network access. No telemetry. No update checks.
Local Footprint
- VS Code extension (Marketplace or VSIX).
- Session logs in user-chosen folder.
- Audit logs in
%APPDATA%/automac-it/audit/.
- VS Code globalState for preferences.
- No Windows services. No registry modifications. No startup entries.
Permissions
- Runs with the same permissions as VS Code (typically standard user).
- PowerShell execution policy:
RemoteSigned or Bypass.
- No elevated/admin permissions required for diagnostics.
- Some repair tools (SFC, service restart) may need admin.
Organizational Controls
- Deploy via VSIX with pre-configured settings.
- Session log folder can be pre-set via VS Code settings policy.
- Readiness check gate can enforce minimum score before destructive tools are available.
Verified against Automac IT source code. Last updated: 2026-04-18. Version: v0.9.1