Security
Current security status and roadmap for Wendy and WendyOS
Security Overview
Wendy is currently in early preview. This page describes the current security posture and what's coming next.
Early Preview — Not Production Ready. Wendy does not currently have authentication, encryption, or access control. Do not deploy Wendy on untrusted networks or use it to run sensitive workloads. See below for details and our security roadmap.
Current Status
The early preview is designed for development, learning, and experimentation. To keep the developer experience frictionless during this phase, security controls have not yet been implemented.
What this means today:
| Area | Status |
|---|---|
| SSH access to WendyOS | Open — no authentication required |
| CLI-to-Agent communication | Unauthenticated — any CLI can deploy to any reachable agent |
| Data in transit | Unencrypted |
| Device identity | No secure enrollment or attestation |
| Access control | None — no user roles or project scoping |
Safe Usage Guidelines
Recommended
Home labs, classrooms, hackathons, development desks, private networks, learning and experimentation.
Not Recommended
Public networks, production deployments, sensitive data or workloads, internet-facing devices.
General recommendations:
- Run Wendy devices on a private or isolated network
- Do not expose WendyOS devices directly to the internet
- Do not deploy applications that handle credentials, personal data, or sensitive information
- Treat any device running wendy-agent as accessible to anyone on the same network
Security Roadmap
Production-grade security is actively in development. Here's what's coming:
Project-Scoped Access Control
Granular control over who can deploy what and where. CLI instances and users will be scoped to specific projects and devices, so you can share a network without sharing access.
End-to-End mTLS Encryption
All communication between the Wendy CLI and wendy-agent will be encrypted using mutual TLS. Both sides authenticate each other, ensuring no eavesdropping or impersonation.
Secure Device Identity
Devices will go through a secure onboarding process with cryptographic identity, enabling trusted enrollment into fleets and preventing unauthorized devices from joining your infrastructure.
SSH Hardening
WendyOS will ship with key-based SSH authentication and configurable access policies, replacing the current open access.
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly by emailing security@wendylabs.com rather than filing a public issue. We take all reports seriously and will respond promptly.
Stay Updated
Security features will be announced on our blog and in our Discord community. Follow along as we build toward production readiness.