| Version | Supported |
|---|---|
| 1.0.x | Yes |
Email security issues to your organization's security contact (replace before public launch).
Please include:
- Description and impact
- Steps to reproduce
- Affected version / commit
Do not open public GitHub issues for undisclosed vulnerabilities.
- API key authentication on all business endpoints
- Path jail on
read_fileagent tool (blocks../traversal) - GitHub webhook HMAC-SHA256 verification
- Rate limiting on ingest, chat, and webhooks
- Secret masking in indexed chunks
- Production validation for
API_KEYandGITHUB_WEBHOOK_SECRET - Optional
/metricsprotection in production - GDPR purge API:
DELETE /platform/repos/{repo_id}
- Set
ENVIRONMENT=production - Use a strong
API_KEY(24+ characters) or per-org keys viaPOST /platform/api-keys - Set
GITHUB_WEBHOOK_SECRET - Do not expose Redis/Chroma ports publicly
- Terminate TLS at a reverse proxy (nginx, Caddy, cloud LB)