Skip to content
vibe

Security

vibe includes security features to protect against unauthorized modifications to configuration files.

Hash Verification

Section titled “Hash Verification”

vibe automatically verifies the integrity of .vibe.toml and .vibe.local.toml files using SHA-256 hashes.

How It Works

Section titled “How It Works”
  1. When you run vibe trust, vibe calculates and stores the SHA-256 hash
  2. When you run vibe start, vibe verifies the file hasn’t been modified
  3. If the hash doesn’t match, vibe exits with an error

Trust Flow

Section titled “Trust Flow”
First use:
  vibe trust → Store hash → Ready to use


Subsequent use:
  vibe start → Verify hash → ✓ Match → Run hooks
                          → ✗ Mismatch → Error (re-trust required)

Settings File

Section titled “Settings File”

Trust information is stored in ~/.config/vibe/settings.json:

{
  "version": 3,
  "permissions": {
    "allow": [
      {
        "repoId": {
          "remoteUrl": "github.com/user/repo",
          "repoRoot": "/path/to/repo"
        },
        "relativePath": ".vibe.toml",
        "hashes": ["abc123..."]
      }
    ],
    "deny": []
  }
}

Repository-Based Trust

Section titled “Repository-Based Trust”

Version 3 uses repository-based trust identification:

  • Trust is shared across all worktrees of the same repository
  • Settings are automatically migrated from v2 to v3 on first load

Skip Hash Check

Section titled “Skip Hash Check”

Global Setting

Section titled “Global Setting”

Disable verification for all repositories:

{
  "version": 3,
  "skipHashCheck": true,
  "permissions": { "allow": [], "deny": [] }
}

Per-File Setting

Section titled “Per-File Setting”

Disable verification for a specific file:

{
  "version": 3,
  "permissions": {
    "allow": [
      {
        "repoId": {
          "remoteUrl": "github.com/user/repo",
          "repoRoot": "/path/to/repo"
        },
        "relativePath": ".vibe.toml",
        "hashes": ["abc123..."],
        "skipHashCheck": true
      }
    ],
    "deny": []
  }
}

Branch Switching

Section titled “Branch Switching”

vibe stores multiple hashes per file (up to 100), allowing you to switch between branches without re-trusting:

  • Each trusted version’s hash is stored
  • When switching branches, vibe checks against all stored hashes
  • If the current hash matches any stored hash, verification passes

Best Practices

Section titled “Best Practices”
  1. Always review changes before running vibe trust
  2. Don’t skip hash check in production environments
  3. Keep .vibe.local.toml local - it’s automatically gitignored
  4. Review team changes to .vibe.toml during code review
Section titled “Related”